Expert Reaction On Estee Lauder Data Exposure

440 million records from the Estee Lauder company were exposed online according to security Researcher Jeremiah Fowler at Security Discovery who found the door wide open on an Internet Facing database.


EXPERTS COMMENTS
Oliver Pinson-Roxburgh, cofounder,  Bulleproof
February 14, 2020
Organisations still fail to get the basics of security right.
Unfortunately, it’s common for companies to still be struggling with very basic issues. Throughout 2019 our penetration testing team conducted hundreds of tests, including application, infrastructure, API, mobile and even hardware tests. Interestingly, 20% of tests conducted featured a critical-risk issue. We define a critical risk as ‘an issue which poses an immediate and direct risk to a b ....
[Read More >>]
Ed Macnair, CEO ,  Censornet
February 14, 2020
Cyber criminals only need to be given an inch and they will take a mile.
This is another example of a big name failing to take responsibility for the way that they handle their data and suffering a large and embarrassing leak as a result. Although the details that were exposed have been described as ‘non-consumer’, it is unacceptable that a database of this size was left unsecured. The leaked information may not prompt a direct attack on customers but the exposure ....
[Read More >>]
Stuart Reed, VP ,  Nominet
February 14, 2020
Especially in the case of middleware, which usually controls data management, application services and authentication.
The latest Estée Lauder breach highlights an issue that is often overlooked when a breach occurs: the secondary effects of criminals obtaining information that could allow them to infect more critical systems with malware. Especially in the case of middleware, which usually controls data management, application services and authentication. In addition to this, it also brings to the fore how impor ....
[Read More >>]
Patrick Hunter, Sales Engineering Director, EMEA,  One Identity
February 14, 2020
Security by default and security by design are the two basic tenets of most compliance laws, and they appear have been forgotten here.
Again, we see a consumer based company in the news for lax security. It is these types of companies that have the most data on us, the purchasers of their products. When there is little to no security around our data, we’re just making it too easy for the hackers. The advent of digital transformation is forcing companies to move to the cloud to remain relevant and agile, or so the analyst ....
[Read More >>]
Tim Erlin, VP of Product Management and Strategy ,  Tripwire
February 13, 2020
These are preventable incidents, and there are tools available to detect misconfigurations in any size enterprise.
Breaches due to an undetected misconfiguration seem to be increasing in prevalence, usually tied to either cloud storage or a misconfigured database. These are preventable incidents, and there are tools available to detect misconfigurations in any size enterprise. While their process for accepting a report for a data incident could use some work, Estee Lauder deserves credit for quickly removing ....
[Read More >>]
Martin Jartelius, CSO ,  Outpost24
February 13, 2020
As datasets grow, the data stored is becoming increasingly valuable to businesses, and in some cases, even more valuable than money.
On first observation, this breach is due to not only a lapse in security, but a complete lack of any form of protection. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. To prevent this scenario companies must ensure they have the security processes and controls in place to assess and be alerted of potentia ....
[Read More >>]
Erich Kron, Security Awareness Advocate,  KnowBe4
February 13, 2020
This an example of how a simple error such as setting permissions on a shared drive or a database can have significant consequences.
This an example of how a simple error such as setting permissions on a shared drive or a database can have significant consequences. This is also a lesson in how large organizations can improve on the process of reporting potential data exposure quickly in order to rapidly resolve the issue, especially in the modern electronic age where millions of records can be stored in a single place and be ac ....
[Read More >>]
Robert Capps, VP ,  NuData Security
February 13, 2020
New technologies like behavioural analytics and passive biometrics are being leveraged.
With the data stolen, customers are the primary targets for cybercriminals, who will use their information to take over accounts the victims have with other online companies. There is also the risk of impersonation by bad actors who will create new accounts with the victim’s information or open up new credit lines. For organisations with an online presence, more technologies are needed to verify ....
[Read More >>]
Niels Schweisshelm, Technical Program Manager,  HackerOne
February 13, 2020
Fortunately, Estee Lauder responded responsibly and quickly to this incident.
Fortunately, Estee Lauder responded responsibly and quickly to this incident and, as a result, it appears there are no reports of any malicious activity - meaning this is a positive story about a discovered and fixed misconfiguration of a product, rather than a breach. However, when it comes to securing the data of ever more informed consumers, it's more important than ever that vulnerabilities or ....
[Read More >>]
Corin Imai, Senior Security Advisor ,  DomainTools
February 13, 2020
Unfortunately, in the wake of a data breach, criminals often exploit the circumstances to plan campaigns aimed at capitalising.
Cybercriminal operations thrive off the kind of data that this database left exposed: sensitive personal identifiable information can be sold online and exploited in all sorts of subsequent campaigns. Fortunately, security researchers promptly brought the misconfiguration to the attention of Estee Lauder, who quickly secured the database. Although there is no evidence that data was stolen, peop ....
[Read More >>]
Robert Capps, VP ,  NuData Security
February 12, 2020
For organizations with an online presence, more technologies are needed to verify legitimate customers from imposters.
With the data stolen, customers are the primary targets for cybercriminals, who will use their information to take over accounts the victims have with other online companies. There is also the risk of impersonation by bad actors who will create new accounts with the victim’s information or open up new credit lines. For organizations with an online presence, more technologies are needed to verify ....
[Read More >>]

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :




In this article