Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Friday, 31 March, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Estee Lauder Breach: What Do The Experts Think?

We asked cybersecurity professionals about the latest brand to be affected by a database misconfiguration. Here's their take

by Sabina
February 14, 2020
in Opinions & Analysis
padlock
Share on FacebookShare on Twitter

Corin Imai, senior security advisor at DomainTools: 

“Cybercriminal operations thrive off the kind of data that this database left exposed: sensitive personal identifiable information can be sold online and exploited in all sorts of subsequent campaigns. Fortunately, security researchers promptly brought the misconfiguration to the attention of Estee Lauder, who quickly secured the database.

Although there is no evidence that data was stolen, people potentially affected should be weary of any email they receive that requests them to reset their credentials or to provide any kind of authentication. Unfortunately, in the wake of a data breach, criminals often exploit the circumstances to plan campaigns aimed at capitalising on the victims of such a breach. They will be expecting a warning email from the organisation that was compromised and thus more likely to believe a well-designed malicious message.”

Patrick Hunter, an EMEA director at One Identity:

Again, we see a consumer based company in the news for lax security.  It is these types of companies that have the most data on us, the purchasers of their products.  When there is little to no security around our data, we’re just making it too easy for the hackers. 

The advent of digital transformation  is forcing companies to move to the cloud to remain relevant and agile, or so the analysts would have us believe.  In reality, everyone needs to reduce costs and increase margins.  I suspect these databases, such as the one discovered by Mr. Fowler, are the result of “Shadow IT” activities.  Ones where a department buys software outside of their IT department and processes, thereby bypassing the security measures needed to keep the data secure.  Security by default and security by design are the two basic tenets of most compliance laws, and they appear have been forgotten here.

Oliver Pinson-Roxburgh, cofounder of Bulletproof:

“Unfortunately, it’s common for companies to still be struggling with very basic issues. Throughout 2019 our penetration testing team conducted hundreds of tests, including application, infrastructure, API, mobile and even hardware tests. 

Interestingly, 20% of tests conducted featured a critical-risk issue. We define a critical risk as ‘an issue which poses an immediate and direct risk to a business.’ For example, using default admin credentials on a component can be considered a critical risk, as it would allow hackers to gain access to important parts of an infrastructure with admin-level privileges.

The fact that a company of the size and prestige of Estee Lauder would leave such a sensitive database exposed is symptomatic of the widespread problem of organisations failing to get the basics of security right. The other issue is that many businesses are adopting new technologies with the assumption that they are secure out of the box and often they are not. This is a hard task, first and foremost because environments are getting more complex. The other issue is that many businesses are adopting new technologies with the assumption that they are secure out of the box and often they are not.

With all this in mind, it’s unlikely that we’ll see this issue ever go away. With more compliance schemes gaining popularity (such as Cyber Essentials), adhering to best practices is becoming more of the norm. In essence, this works by introducing a model that enforces the best practices that are easiest to achieve. Once businesses have managed these, expanding into others becomes more feasible.”

Erich Kron, security awareness advocate at KnowBe4:

“This an example of how a simple error such as setting permissions on a shared drive or a database can have significant consequences. This is also a lesson in how large organizations can improve on the process of reporting potential data exposure quickly in order to rapidly resolve the issue, especially in the modern electronic age where millions of records can be stored in a single place and be accessed from nearly anywhere in the world. I give Estee Lauder credit for quickly resolving the issue once they were informed about it, as many organizations move far too slowly in this respect.

As we gather more digital information about customers and share this information across platforms, especially in areas that are potentially internet-facing, it is vital that people are trained in data protection and that organizations work toward an overall security-minded culture. Often times, organizations find themselves in a situation where they are collecting or amassing a large amount of potentially sensitive data without realizing the implications until it is too late. This can result in a significant cost in regulatory fines, notification and credit monitoring services and an impact to the brand if sensitive data is leaked or stolen.”

Martin Jartelius, CSO at Outpost24:

“On first observation, this breach is due to not only a lapse in security, but a complete lack of any form of protection. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. To prevent this scenario companies must ensure they have the security processes and controls in place to assess and be alerted of potential misconfigurations on a continuous basis. As datasets grow, the data stored is becoming increasingly valuable to businesses, and in some cases, even more valuable than money. Unfortunately, not everyone protects it like the valuable asset it is.”

Tim Erlin, VP at Tripwire:

“Breaches due to an undetected misconfiguration seem to be increasing in prevalence, usually tied to either cloud storage or a misconfigured database. These are preventable incidents, and there are tools available to detect misconfigurations in any size enterprise.

While their process for accepting a report for a data incident could use some work, Estee Lauder deserves credit for quickly removing the misconfigured access. “

 

 

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

The Impact of Security Automation on Hiring Trends

Next Post

Exchange Admins urged by Microsoft to Disable SMBv1

Recent News

Data Privacy Day: Securing your data with a password manager

For Cybersecurity, the Tricks Come More Than Once a Year

March 31, 2023
cybersecurity training

Only 10% of workers remember all their cyber security training

March 30, 2023
Pie Chart, Purple

New API Report Shows 400% Increase in Attackers

March 29, 2023
Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato Networks Recognised as Leader in Single-Vendor SASE Quadrant Analysis

March 29, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information