Estée Lauder exposes 440 million internal records in security breach

Estée Lauder has suffered a data breach at the hands of cybercriminals, resulting in the exposure of 440 million records.

As first reported by Security Discovery and by further media outlets, the data breach exposed internal emails, with no evidence that customer records or payment details were at risk. The hacked database contained 440,336,852 records including internal company emails.

While there was no direct risk to customers of Estée Lauder, as well as subsidiary big-name brands including Clinique and MAC, the security expert who discovered the breach noted that hacked data relating to middleware may create another entrance for the cybercriminals to gain access to more pertinent information further down the line.

“There were millions of records pertaining to middleware that is used by the Estée Lauder company. Middleware is software that provides common services and capabilities to applications outside of what’s offered by the operating system. Data management, application services, messaging, authentication, and API management are all commonly handled by middleware,” said Jeremiah Fowler, data analyst and security consultant at Security Discovery.

“Another danger of this exposure is the fact that middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network.”

An Estée Lauder spokesperson said: “On 30 January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet.  This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estée Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties.”