Incident Of The Week: Security Researcher Uncovers 440 Million Records From Estée Lauder

Cosmetics Leader Middleware Database Publicly Exposed

Add bookmark

Jeff Orr

Cosmetics Data Exposed

Even the largest, well-trained and most diligent security teams can have glaring security vulnerabilities. The United Nations, Travelex and Microsoft have all made recent headlines for cyber security data incidents. The latest to find large amounts of data exposed is beauty manufacturer Estée Lauder.

In late January, a non-password protected database containing more than 440 million records was discovered by security researcher Jeremiah Fowler. After further review, it was determined to be connected to New York-based cosmetic company Estée Lauder. The company was sent a responsible disclosure notice and restricted public access to the database on the same day that it was notified.

“The database appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more,” Fowler said. The email addresses were assumed to be part of a B2B activities used in a middleware system.

The company issued a statement about the incident: “On 30 January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet.  This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estée Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties.”

Bigger Is Not Always Better

Our research surveys with enterprise security leaders have found that the larger enterprise organizations do not necessarily have larger security budgets.

The saying “living within your means” is a good mantra for organizations that are inevitably not receiving the funding necessary to have dynamic and continuous testing of their environment. Different approaches exist for enterprise security assessments.

See Related: Cloud Security: A CISO Guide

Red Teams and Enterprise Penetration Testing

Along with pentesting, some organizations also have a Red Team capability. How are these the same and where are they different?

Penetration testing identifies vulnerabilities in systems and applications, which are then exploited to understand the risk of each vulnerability to the organization.

In contrast, a Red Team utilizes attack scenarios to test the security posture of the organization. For example, a Red Team might operate a stolen endpoint to exfiltrate data. The ability for the security team to detect and respond to that threat determines its effectiveness.

Both approaches can be based on a campaign with a finite timeline or run as continuous activities.

See Related: Knowing Your Enemy: Attack Simulation In 2020

Next Steps For CPG Brands

CPG brands and the supply chain need to look holistically at their security posture – everything from retail distribution to e-commerce and operations to third-party relationships – and any attempts to rely on annual compliance checklists will not be sufficient. Continuous and on-going assessments of threats and vulnerabilities are the only path forward. And this doesn’t have to be done alone.

Security leaders need to participate in the broader security community. There’s an outdated belief that competitors don’t talk to each other. That’s not the case in cyber security. Every business faces the same threats and the same risks. This active gathering of threat intelligence and observing the experiences of others (and how they respond to an attack) is what sets the average security leader apart from the successful one.

See Related: All Cyber Security Hub Incident Of The Week Reports