Data breach at cosmetics firm Estée Lauder exposes record of 440 million people

As users, it is common to think that information security incidents only affect technology companies. This is a wrong concept, as data security incidents are constantly reported across all kinds of companies. This is precisely what just happened at cosmetics company Estée Lauder, which suffered a data breach that exposed nearly 440 million records.

The incident came due to an unprotected database, says Jeremiah Fowler, researcher in charge of the finding. This exposed database contains unencrypted email address records of customers and employees, marketing reports, internal documents, as well as information about IP addresses and data storage paths. Fowler added that he notified the area responsible for information security at Estée Lauder, which immediately disabled access to the database.

Shortly after receiving the report, Estée Lauder confirmed the incident, mentioning that the database exposed a limited number of email addresses (non-customer members) registered on an online platform. The cosmetic company’s information security team also claimed that no improper access to the database has been recorded so far.

However, the problems have not been completed for the company, as it still needs to conduct an investigation to determine that no threat actors had access to the compromised information. In addition, the release has raised more questions for customers, as data breaches can sometimes be exploited as an access point to a company’s internal networks, compromising greater internal and customer details.

“Incidents like this expose users to various malicious activities. Hackers could send phishing emails, make purchases on other sites with their payment card data, and even perform phishing attacks,” says Robert Capps, information security specialist. 

As the company’s investigation is ongoing, the International Institute of Cyber Security (IICS) points out that the incident could be investigated under the European Union General Data Protection Regulation (GDPR), as EU citizens’ data was exposed. It should be remembered that fines for non-compliance with this law reach up to 4% of the company’s annual profits, so the incident could have disastrous financial consequences for the New York-based firm.