440 million records from the Estee Lauder company were exposed online according to security Researcher Jeremiah Fowler at Security Discovery who found the door wide open on an Internet Facing database.
Wonder @ # of #schooldistricts or #highered could field report of #data exposure by #whitehat #hacker : “you would be shocked at how many companies do not have a protocol when it comes to exposed data”—not acceptable situation. From @Forbes https://t.co/MJIbwSzyzR
— Trapped in Covid Ground Hog Day (@jhengstler) February 11, 2020
Unfortunately, it’s common for companies to still be struggling with very basic issues. Throughout 2019 our penetration testing team conducted hundreds of tests, including application, infrastructure, API, mobile and even hardware tests.
Interestingly, 20% of tests conducted featured a critical-risk issue. We define a critical risk as ‘an issue which poses an immediate and direct risk to a business.’ For example, using default admin credentials on a component can be considered a critical risk, as it would allow hackers to gain access to important parts of an infrastructure with admin-level privileges.
The fact that a company of the size and prestige of Estee Lauder would leave such a sensitive database exposed is symptomatic of the widespread problem of organisations failing to get the basics of security right. The other issue is that many businesses are adopting new technologies with the assumption that they are secure out of the box and often they are not. This is a hard task, first and foremost because environments are getting more complex.
With all this in mind, it’s unlikely that we’ll see this issue ever go away. With more compliance schemes gaining popularity (such as Cyber Essentials), adhering to best practices is becoming more of the norm. In essence, this works by introducing a model that enforces the best practices that are easiest to achieve. Once businesses have managed these, expanding into others becomes more feasible.
This is another example of a big name failing to take responsibility for the way that they handle their data and suffering a large and embarrassing leak as a result. Although the details that were exposed have been described as ‘non-consumer’, it is unacceptable that a database of this size was left unsecured.
The leaked information may not prompt a direct attack on customers but the exposure of the company’s middleware could offer a backdoor into their network. Cyber criminals only need to be given an inch and they will take a mile, and the company has certainly left itself in an uncertain position despite responding to the situation quickly.
As these breaches continue to take place, the onus is on businesses of all sizes to ensure that they have visibility and control over their internal data as well as that of their customers. It’s crucial that organisations adopt a multi-layered approach to security and implement the appropriate technologies to keep these databases secure.
The latest Estée Lauder breach highlights an issue that is often overlooked when a breach occurs: the secondary effects of criminals obtaining information that could allow them to infect more critical systems with malware. Especially in the case of middleware, which usually controls data management, application services and authentication. In addition to this, it also brings to the fore how important it is to both respond quickly and build in reliable authentication requirements. There should be a multi-layered approach, including staff education and analysis at multiple layers of the security stack to identify any malicious behaviour. Network detection and response is also a vital part of this security mix, designed to achieve a holistic view of the network and potential threats, as well as the ability to mitigate the impact of an attack fast.
Again, we see a consumer based company in the news for lax security. It is these types of companies that have the most data on us, the purchasers of their products. When there is little to no security around our data, we’re just making it too easy for the hackers.
The advent of digital transformation is forcing companies to move to the cloud to remain relevant and agile, or so the analysts would have us believe. In reality, everyone needs to reduce costs and increase margins. I suspect these databases, such as the one discovered by Mr. Fowler, are the result of “Shadow IT” activities. Ones where a department buys software outside of their IT department and processes, thereby bypassing the security measures needed to keep the data secure. Security by default and security by design are the two basic tenets of most compliance laws, and they appear have been forgotten here.
Breaches due to an undetected misconfiguration seem to be increasing in prevalence, usually tied to either cloud storage or a misconfigured database. These are preventable incidents, and there are tools available to detect misconfigurations in any size enterprise.
While their process for accepting a report for a data incident could use some work, Estee Lauder deserves credit for quickly removing the misconfigured access.