Estee Lauder Suffers Large-Scale Data Breach

An ungated database containing more than 440 million records owned by beauty company Estée Lauder has been exposed online, Forbes reported. A security researcher, Jeremiah Fowler, found the database in late January that was internet-facing and had no password protection.

Estée Lauder released a statement explaining that a limited number of non-consumer email addresses from an education platform were temporarily accessible, but the platform wasn't consumer facing and didn't contain any consumer data. According to the statement, Estée Lauder took immediate action as soon as it was made aware of the breach. Fowler told Forbes that the system contained everything from how the network is working to references to internal documents, sales matrix data, and more. As soon as Fowler saw email addresses in the system, he contacted Estée Lauder immediately, and can confirm the brand was responsive and took action on the same day.

Fowler explained that these records were pertaining to middleware, and that the danger of this exposure is that middleware can create a path for malware, through which data and applications can be compromised.

Total Retail's Take: Something else that Fowler mentioned to Forbes was the lengthy process of getting in touch with Estée Lauder. The brand didn't have a protocol in place on how to deal with exposed data, and Fowler explained that, unfortunately, that isn't uncommon when it comes to large corporations. The longer it takes for a company to be made aware of a data breach, the more time the data is at risk, so hopefully this is a wake-up call for Estée Lauder and other brands to create a clear plan for how to deal with (and easily report) a data breach. Luckily for Estee Lauder this breach didn't involve consumer data. However, the fact remains that retailers and brands must remain vigilant about data security, including having policies and procedures in place and ready to be acted upon in the increasing likelihood that a breach does occur.