#privacy: Yves Rocher exposes data on millions of customers


An unsecured Elasticsearch database has resulted in millions of customer data being leaked. 

Researchers from vpnMentor were able to access a private database belonging to Aliznet, which contained data on 2.5 million Canadian Yves Rocher customers. The data included names, email addresses, phone numbers, dates of birth and postcodes. 

The database also included over six million customer orders in the database, including delivery date, store location, transaction amount and the currency used. 

Researchers were able to identify the individuals placing orders, as each order is linked with a unique customer ID, and via the leaked Yves Rocher customer records the researchers could identify who placed what order through their ID.

Amongst the personally identifiable information leaked, the researchers also found internal Yves Rocher data, including turnover, statistics on store traffic, order volumes and more.

This information is highly valuable to competitors of Yves Rocher, as it allows them to estimate store sales and other trading data. Additionally the exposed internal data provides competitors with information on Yves Rocher’s customers such as their order histories and contact information. 

“Competing cosmetic and beauty companies could use this information to create a highly effective advertising campaigns targeted at Yves Rocher customers. This could lead to Yves Rocher losing customers to competitors.”

An API vulnerability was also discovered, this could allow anyone to access an application that was built for Yves Rocher employees by Aliznet and exploit. By using employee IDs, threat actors could log-in as staff and obtain more data on customers and staff, as well as add, modify and delete the company database. 

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.