Cosmetics giant Yves Rocher is warning that a major data leak exposed the personal data of millions of its customers and sensitive internal company information to the public. The data exposure stems from a database left unprotected by a third-party consultant to the firm. Researchers with vpnMentor on Monday said that they discovered an unprotected Elasticsearch server owned by Aliznet, which provides consulting services to large firms including IBM, Salesforce, Sephora and Louboutin.
It does not take much effort for outsiders to find unsecured databases and access sensitive information. In fact, there are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases. Because of these tools (and the continued carelessness of companies when it comes to cybersecurity), abusing misconfigurations has grown in popularity as an attack vector across all industries. Such vulnerabilities can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. Even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed. As such, they must turn to flexible, cost-effective solutions that can prevent data leakage; for example, cloud access security brokers (CASBs) that boast features like cloud security posture management (CSPM), data loss prevention (DLP), user and entity behaviour analytics (UEBA), and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.
It’s unfortunate that a simple database misconfiguration mistake can have such catastrophic results. We see in the industry today the majority of these breaches are caused by a misconfiguration or error, and this one is no different. For companies such as Yves Rocher who contracted with Aliznet, it is a tough situation, because you put trust in your third party contractors to create a secure application that can deliver you results. This situation highlights why it is extremely important to have a third party information security/privacy risk management program that is able to perform due diligence on software or services that an organization is developing or has developed, especially if it will be housing customer data.
In order to prevent data leaks such as this one from happening, organizations need to be proactive in their approach to monitoring their applications. It is extremely important to perform consistent vulnerability scans, penetration testing, and leveraging industry standard tools available to catch any existing misconfigurations or vulnerabilities in web applications. For this data leak I would recommend impacted consumers and employees to stay vigilant about any email, mail, or phone calls they receive because now they are more susceptible to highly targeted spear phishing attempts due to the amount of data exposed.
Since the impacted consumers were Canadian, this can have far reaching impacts for Yves Rocher and Aliznet due to data protection regulations such as PIPEDA and other Canadian provincial privacy laws. These laws have mandatory breach reporting requirements and organizations are now vulnerable to high fines under the regulation.
Managing the extensive supply chains that global enterprises rely on today can be a cumbersome process, especially with legacy GRC tools or spreadsheets. From a purchaser perspective, businesses need to be aware and increasingly diligent when it comes to sourcing a vendor, especially when dealing with the sensitive information that we see in this case.
For both vendors and buyers, though, an integrated approach is critical. Implementing integrated risk management solutions that align vendor security with internal security is the first step to ensuring that a supply chain is as secure as possible. With enterprises becoming more like ecosystems and less like islands, buyers need to be asking more and better questions of their vendors, especially when their customers\’ information is at stake. Vendor risk must be seen as just as critical to an organization\’s posture as the cybersecurity of the enterprise itself.