Expert Reaction On Estee Lauder Data Exposure

440 million records from the Estee Lauder company were exposed online according to security Researcher Jeremiah Fowler at Security Discovery who found the door wide open on an Internet Facing database.

Experts Comments

February 13, 2020
Niels Schweisshelm
Technical Program Manager
HackerOne
Fortunately, Estee Lauder responded responsibly and quickly to this incident and, as a result, it appears there are no reports of any malicious activity - meaning this is a positive story about a discovered and fixed misconfiguration of a product, rather than a breach. However, when it comes to securing the data of ever more informed consumers, it's more important than ever that vulnerabilities or misconfigurations like these are reported quickly and effectively through a defined channel and.....Read More
Fortunately, Estee Lauder responded responsibly and quickly to this incident and, as a result, it appears there are no reports of any malicious activity - meaning this is a positive story about a discovered and fixed misconfiguration of a product, rather than a breach. However, when it comes to securing the data of ever more informed consumers, it's more important than ever that vulnerabilities or misconfigurations like these are reported quickly and effectively through a defined channel and process. When storing any data in a cloud environment, maintaining an understanding of who is accessing what and when is key, so the risk of unauthorised access is minimised. Modern engineering teams have many people who can improve on your infrastructure and security, but equally as many people that can make a mistake. Taking note of, and accepting reports from, third parties like Fowler and other security researchers provides additional peace of mind that there are eyes keeping everyone's data safe.  Read Less
February 14, 2020
Oliver Pinson-Roxburgh
cofounder
Bulleproof
Unfortunately, it’s common for companies to still be struggling with very basic issues. Throughout 2019 our penetration testing team conducted hundreds of tests, including application, infrastructure, API, mobile and even hardware tests. Interestingly, 20% of tests conducted featured a critical-risk issue. We define a critical risk as ‘an issue which poses an immediate and direct risk to a business.’ For example, using default admin credentials on a component can be considered a.....Read More
Unfortunately, it’s common for companies to still be struggling with very basic issues. Throughout 2019 our penetration testing team conducted hundreds of tests, including application, infrastructure, API, mobile and even hardware tests. Interestingly, 20% of tests conducted featured a critical-risk issue. We define a critical risk as ‘an issue which poses an immediate and direct risk to a business.’ For example, using default admin credentials on a component can be considered a critical risk, as it would allow hackers to gain access to important parts of an infrastructure with admin-level privileges. The fact that a company of the size and prestige of Estee Lauder would leave such a sensitive database exposed is symptomatic of the widespread problem of organisations failing to get the basics of security right. The other issue is that many businesses are adopting new technologies with the assumption that they are secure out of the box and often they are not. This is a hard task, first and foremost because environments are getting more complex. With all this in mind, it’s unlikely that we’ll see this issue ever go away. With more compliance schemes gaining popularity (such as Cyber Essentials), adhering to best practices is becoming more of the norm. In essence, this works by introducing a model that enforces the best practices that are easiest to achieve. Once businesses have managed these, expanding into others becomes more feasible.  Read Less
February 14, 2020
Ed Macnair
CEO
Censornet
This is another example of a big name failing to take responsibility for the way that they handle their data and suffering a large and embarrassing leak as a result. Although the details that were exposed have been described as ‘non-consumer’, it is unacceptable that a database of this size was left unsecured. The leaked information may not prompt a direct attack on customers but the exposure of the company’s middleware could offer a backdoor into their network. Cyber criminals only need .....Read More
This is another example of a big name failing to take responsibility for the way that they handle their data and suffering a large and embarrassing leak as a result. Although the details that were exposed have been described as ‘non-consumer’, it is unacceptable that a database of this size was left unsecured. The leaked information may not prompt a direct attack on customers but the exposure of the company’s middleware could offer a backdoor into their network. Cyber criminals only need to be given an inch and they will take a mile, and the company has certainly left itself in an uncertain position despite responding to the situation quickly. As these breaches continue to take place, the onus is on businesses of all sizes to ensure that they have visibility and control over their internal data as well as that of their customers. It’s crucial that organisations adopt a multi-layered approach to security and implement the appropriate technologies to keep these databases secure.  Read Less
February 14, 2020
Stuart Reed
UK Director
Orange Cyberdefense
The latest Estée Lauder breach highlights an issue that is often overlooked when a breach occurs: the secondary effects of criminals obtaining information that could allow them to infect more critical systems with malware. Especially in the case of middleware, which usually controls data management, application services and authentication. In addition to this, it also brings to the fore how important it is to both respond quickly and build in reliable authentication requirements. There should.....Read More
The latest Estée Lauder breach highlights an issue that is often overlooked when a breach occurs: the secondary effects of criminals obtaining information that could allow them to infect more critical systems with malware. Especially in the case of middleware, which usually controls data management, application services and authentication. In addition to this, it also brings to the fore how important it is to both respond quickly and build in reliable authentication requirements. There should be a multi-layered approach, including staff education and analysis at multiple layers of the security stack to identify any malicious behaviour. Network detection and response is also a vital part of this security mix, designed to achieve a holistic view of the network and potential threats, as well as the ability to mitigate the impact of an attack fast.  Read Less
February 14, 2020
Patrick Hunter
Sales Engineering Director, EMEA
One Identity
Again, we see a consumer based company in the news for lax security. It is these types of companies that have the most data on us, the purchasers of their products. When there is little to no security around our data, we’re just making it too easy for the hackers. The advent of digital transformation is forcing companies to move to the cloud to remain relevant and agile, or so the analysts would have us believe. In reality, everyone needs to reduce costs and increase margins. I.....Read More
Again, we see a consumer based company in the news for lax security. It is these types of companies that have the most data on us, the purchasers of their products. When there is little to no security around our data, we’re just making it too easy for the hackers. The advent of digital transformation is forcing companies to move to the cloud to remain relevant and agile, or so the analysts would have us believe. In reality, everyone needs to reduce costs and increase margins. I suspect these databases, such as the one discovered by Mr. Fowler, are the result of “Shadow IT” activities. Ones where a department buys software outside of their IT department and processes, thereby bypassing the security measures needed to keep the data secure. Security by default and security by design are the two basic tenets of most compliance laws, and they appear have been forgotten here.  Read Less
February 13, 2020
Tim Erlin
VP of Product Management and Strategy
Tripwire
Breaches due to an undetected misconfiguration seem to be increasing in prevalence, usually tied to either cloud storage or a misconfigured database. These are preventable incidents, and there are tools available to detect misconfigurations in any size enterprise. While their process for accepting a report for a data incident could use some work, Estee Lauder deserves credit for quickly removing the misconfigured access.
February 13, 2020
Martin Jartelius
CSO
Outpost24
On first observation, this breach is due to not only a lapse in security, but a complete lack of any form of protection. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. To prevent this scenario companies must ensure they have the security processes and controls in place to assess and be alerted of potential misconfigurations on a continuous basis. As datasets grow, the data stored is becoming.....Read More
On first observation, this breach is due to not only a lapse in security, but a complete lack of any form of protection. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. To prevent this scenario companies must ensure they have the security processes and controls in place to assess and be alerted of potential misconfigurations on a continuous basis. As datasets grow, the data stored is becoming increasingly valuable to businesses, and in some cases, even more valuable than money. Unfortunately, not everyone protects it like the valuable asset it is.  Read Less
February 13, 2020
Erich Kron
Security Awareness Advocate
KnowBe4
This an example of how a simple error such as setting permissions on a shared drive or a database can have significant consequences. This is also a lesson in how large organizations can improve on the process of reporting potential data exposure quickly in order to rapidly resolve the issue, especially in the modern electronic age where millions of records can be stored in a single place and be accessed from nearly anywhere in the world. I give Estee Lauder credit for quickly resolving the.....Read More
This an example of how a simple error such as setting permissions on a shared drive or a database can have significant consequences. This is also a lesson in how large organizations can improve on the process of reporting potential data exposure quickly in order to rapidly resolve the issue, especially in the modern electronic age where millions of records can be stored in a single place and be accessed from nearly anywhere in the world. I give Estee Lauder credit for quickly resolving the issue once they were informed about it, as many organizations move far too slowly in this respect. As we gather more digital information about customers and share this information across platforms, especially in areas that are potentially internet-facing, it is vital that people are trained in data protection and that organizations work toward an overall security-minded culture. Often times, organizations find themselves in a situation where they are collecting or amassing a large amount of potentially sensitive data without realizing the implications until it is too late. This can result in a significant cost in regulatory fines, notification and credit monitoring services and an impact to the brand if sensitive data is leaked or stolen.  Read Less
February 13, 2020
Robert Capps
VP
NuData Security
With the data stolen, customers are the primary targets for cybercriminals, who will use their information to take over accounts the victims have with other online companies. There is also the risk of impersonation by bad actors who will create new accounts with the victim’s information or open up new credit lines. For organisations with an online presence, more technologies are needed to verify legitimate customers from imposters. New technologies like behavioural analytics and passive.....Read More
With the data stolen, customers are the primary targets for cybercriminals, who will use their information to take over accounts the victims have with other online companies. There is also the risk of impersonation by bad actors who will create new accounts with the victim’s information or open up new credit lines. For organisations with an online presence, more technologies are needed to verify legitimate customers from imposters. New technologies like behavioural analytics and passive biometrics are being leveraged to protect businesses and their customers from account takeover by recognising customers’ online behaviour instead of basing a decision on a password, SIN or another credential. Hackers are not able to mimic inherent user behaviour online, making stolen credentials valueless.  Read Less
February 13, 2020
Corin Imai
Senior Security Advisor
DomainTools
Cybercriminal operations thrive off the kind of data that this database left exposed: sensitive personal identifiable information can be sold online and exploited in all sorts of subsequent campaigns. Fortunately, security researchers promptly brought the misconfiguration to the attention of Estee Lauder, who quickly secured the database. Although there is no evidence that data was stolen, people potentially affected should be weary of any email they receive that requests them to reset their .....Read More
Cybercriminal operations thrive off the kind of data that this database left exposed: sensitive personal identifiable information can be sold online and exploited in all sorts of subsequent campaigns. Fortunately, security researchers promptly brought the misconfiguration to the attention of Estee Lauder, who quickly secured the database. Although there is no evidence that data was stolen, people potentially affected should be weary of any email they receive that requests them to reset their credentials or to provide any kind of authentication. Unfortunately, in the wake of a data breach, criminals often exploit the circumstances to plan campaigns aimed at capitalising on the victims of such a breach. They will be expecting a warning email from the organisation that was compromised and thus more likely to believe a well-designed malicious message.  Read Less
February 12, 2020
Robert Capps
VP
NuData Security
With the data stolen, customers are the primary targets for cybercriminals, who will use their information to take over accounts the victims have with other online companies. There is also the risk of impersonation by bad actors who will create new accounts with the victim’s information or open up new credit lines. For organizations with an online presence, more technologies are needed to verify legitimate customers from imposters. New technologies like behavioral analytics and passive.....Read More
With the data stolen, customers are the primary targets for cybercriminals, who will use their information to take over accounts the victims have with other online companies. There is also the risk of impersonation by bad actors who will create new accounts with the victim’s information or open up new credit lines. For organizations with an online presence, more technologies are needed to verify legitimate customers from imposters. New technologies like behavioral analytics and passive biometrics are being leveraged to protect businesses and their customers from account takeover by recognizing customers’ online behavior instead of basing a decision on a password, SIN or another credential. Hackers are not able to mimic inherent user behavior online, making stolen credentials valueless.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.