Corin Imai, senior security advisor at DomainTools:
“Cybercriminal operations thrive off the kind of data that this database left exposed: sensitive personal identifiable information can be sold online and exploited in all sorts of subsequent campaigns. Fortunately, security researchers promptly brought the misconfiguration to the attention of Estee Lauder, who quickly secured the database.
Although there is no evidence that data was stolen, people potentially affected should be weary of any email they receive that requests them to reset their credentials or to provide any kind of authentication. Unfortunately, in the wake of a data breach, criminals often exploit the circumstances to plan campaigns aimed at capitalising on the victims of such a breach. They will be expecting a warning email from the organisation that was compromised and thus more likely to believe a well-designed malicious message.”
Patrick Hunter, an EMEA director at One Identity:
Again, we see a consumer based company in the news for lax security. It is these types of companies that have the most data on us, the purchasers of their products. When there is little to no security around our data, we’re just making it too easy for the hackers.
The advent of digital transformation is forcing companies to move to the cloud to remain relevant and agile, or so the analysts would have us believe. In reality, everyone needs to reduce costs and increase margins. I suspect these databases, such as the one discovered by Mr. Fowler, are the result of “Shadow IT” activities. Ones where a department buys software outside of their IT department and processes, thereby bypassing the security measures needed to keep the data secure. Security by default and security by design are the two basic tenets of most compliance laws, and they appear have been forgotten here.
Oliver Pinson-Roxburgh, cofounder of Bulletproof:
“Unfortunately, it’s common for companies to still be struggling with very basic issues. Throughout 2019 our penetration testing team conducted hundreds of tests, including application, infrastructure, API, mobile and even hardware tests.
Interestingly, 20% of tests conducted featured a critical-risk issue. We define a critical risk as ‘an issue which poses an immediate and direct risk to a business.’ For example, using default admin credentials on a component can be considered a critical risk, as it would allow hackers to gain access to important parts of an infrastructure with admin-level privileges.
The fact that a company of the size and prestige of Estee Lauder would leave such a sensitive database exposed is symptomatic of the widespread problem of organisations failing to get the basics of security right. The other issue is that many businesses are adopting new technologies with the assumption that they are secure out of the box and often they are not. This is a hard task, first and foremost because environments are getting more complex. The other issue is that many businesses are adopting new technologies with the assumption that they are secure out of the box and often they are not.
With all this in mind, it’s unlikely that we’ll see this issue ever go away. With more compliance schemes gaining popularity (such as Cyber Essentials), adhering to best practices is becoming more of the norm. In essence, this works by introducing a model that enforces the best practices that are easiest to achieve. Once businesses have managed these, expanding into others becomes more feasible.”
Erich Kron, security awareness advocate at KnowBe4:
“This an example of how a simple error such as setting permissions on a shared drive or a database can have significant consequences. This is also a lesson in how large organizations can improve on the process of reporting potential data exposure quickly in order to rapidly resolve the issue, especially in the modern electronic age where millions of records can be stored in a single place and be accessed from nearly anywhere in the world. I give Estee Lauder credit for quickly resolving the issue once they were informed about it, as many organizations move far too slowly in this respect.
As we gather more digital information about customers and share this information across platforms, especially in areas that are potentially internet-facing, it is vital that people are trained in data protection and that organizations work toward an overall security-minded culture. Often times, organizations find themselves in a situation where they are collecting or amassing a large amount of potentially sensitive data without realizing the implications until it is too late. This can result in a significant cost in regulatory fines, notification and credit monitoring services and an impact to the brand if sensitive data is leaked or stolen.”
Martin Jartelius, CSO at Outpost24:
“On first observation, this breach is due to not only a lapse in security, but a complete lack of any form of protection. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. To prevent this scenario companies must ensure they have the security processes and controls in place to assess and be alerted of potential misconfigurations on a continuous basis. As datasets grow, the data stored is becoming increasingly valuable to businesses, and in some cases, even more valuable than money. Unfortunately, not everyone protects it like the valuable asset it is.”
Tim Erlin, VP at Tripwire:
“Breaches due to an undetected misconfiguration seem to be increasing in prevalence, usually tied to either cloud storage or a misconfigured database. These are preventable incidents, and there are tools available to detect misconfigurations in any size enterprise.
While their process for accepting a report for a data incident could use some work, Estee Lauder deserves credit for quickly removing the misconfigured access. “
