#Privacy: Estee Lauder exposes 440m records

An unsecured database belonging to cosmetic giant Estee Lauder has exposed hundreds of millions of customer records and internal logs.

Security researcher Jeremiah Fowler, discovered the non-password protected database on January 30. 

The database consisted of 440,336,852 records, which contained plaintext email addresses, including internal email addresses from the @estee.com domain. In addition, the database exposed production, audit, error, content management systems and middleware logs. 

“I can only speculate or assume that the email addresses were from digital commerce or online sales,” wrote Fowler. 

Middleware is software that provides common services and capabilities to applications and handles data management, application services, messaging, authentication and API management. 

“Middleware can create a secondary path for malware, through which applications and data can be compromised. In this instance anyone with an internet connection could see what versions or builds are being used, the paths, and other information that could serve as a backdoor into the network,” explained Fowler. 

Upon discovering the database, Fowler immediately sent a responsible disclosure notice to Estee Lauder alerting them of the exposure. After making numerous phone calls and sending several emails – the security team at Estee Lauder received Fowler’s message and the database was closed the same day. 

It is unclear as to how long the database was exposed for and who may have accessed the records during the exposure. 

“This an example of how a simple error such as setting permissions on a shared drive or a database can have significant consequences,” said Erich Kron, security awareness advocate at KnowBe4 told Threatpost.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.