The Body Shop, Avon & Natura ISO 27001 certified companies leaked data of 250,000 customers

Specialists in a cyber security course have reported a new incident involving the personal information of millions of people. A multibillion-dollar company based in Brazil exposed highly sensitive information (personal and financial data) of its customers. According to the reports, the exposed information was hosted in poorly configured databases, making them available to any user.

The company in question, Natura & Co Group, is composed of a global cosmetics production and sales group with a presence in more than 70 countries. This corporation owns firms such as Aesop, Avon and The Body Shop.

Experts in the cyber security course mention that the data breach involves two databases with more than 190 million records each. One of the exposed deployments stores information equivalent to 1.3 TB, while the second database contained 272 GB.

Thanks to a leaked report, the cybersecurity community was able to learn that more than 250,000 Natura customers have been affected by the data breach. It was also revealed that at least 40 thousand records of Wirecard’s mobile internet communications accounts (MOIPs) were also exposed. Among the information compromised are details such as:

  • Full name
  • Home address
  • Email address
  • Gender
  • Date and place of birth
  • Phone number
  • Purchase history
  • MOIP account details
  • Username and nickname
  • Access token for wirecard.com.br
  • API credentials that include unencrypted passwords
  • Natura.com.br login credentials including hash passwords

The incident was not limited to Natura’s customers. Soon after, experts in the cyber security course confirmed that the data breach also compromised confidential details about the company’s IT infrastructure. “The compromised server contained API logs from the Natura website, so all the information from the production server was exposed,” the experts mention. In addition, the leak also exposed the names of some Amazon buckets, which store PDFs related to agreements between the company and other parties. 

The International Institute of Cyber Security (IICS) recommends that Natura customers consult the company on the measures being taken to address this issue because, due to the nature of the information compromised, they could be exposed to phishing campaigns or identity fraud.

For security, customers should be wary of malicious emails, as well as avoid sharing their personal data online. In these cases it is common for firms to offer identity and banking fraud protection services, although Naturia has not made any more official returns.