In a hack heard ‘round the beauty world, the Estée Lauder Cos. Inc. found itself on the receiving end of an apparent ransomware attack that compromised data and took down some of its systems, the company disclosed Tuesday night.
Since then the ALPHV/BlackCat and Clop groups claimed credit for the cyber attack, listing Estée Lauder on their sites in the dark web alongside an airline, comms regulator, hard drive storage provider and others. Among them was file transfer tool MoveIt, the victim of a massive Clop breach in late May. The data heist affected entities that used the service which, according to security firm Emsisoft, numbered 378 organizations and about 20 million individuals.
It’s unclear if Estée Lauder was among them, and it didn’t disclose the nature or scope of the data that were compromised. However, screenshots tweeted by Emsisoft threat analyst Brett Callow of posts from Black Cat and Clop suggest that the information included customer data.
The message from Clop claimed to have extracted 131 GB of data from the beauty conglomerate, stating, “The company doesn’t care about its customers, it ignored their security!!!”
The ALPHV/Black Cat screen grab, which threatened to reveal more information about its stolen data, struck a slightly more poetic tone: “Estée Lauder, under the control of a family of billionaire heirs. Oh, what these eyes have seen. We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe the data was worth a lot more.”
Notably, the post featured a link to a Microsoft Azure security page on how to recover from an identity compromise. It also added that Black Cat’s effort was completely separate from that of Clop and the MoveIt hack, indicating the incidents were not coordinated attacks.
Ransomware attacks usually involve a data heist or a pointed threat to a vulnerable system that’s wielded until some sort of demands are met. According to the Estée Lauder statement and disclosure with the Securities and Exchange Commission, an “unauthorized third party” managed to gain “access to some of the company’s systems,” but it did not explain what the attackers hoped to gain or what they demanded, if anything.
Estée Lauder did acknowledge that “the incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations.” Now, focusing on “remediation,” it took down at least some of its systems, and it’s working with law enforcement to investigate the matter.
When it comes to ransomware attacks, if that is indeed what hit Lauder, the company is far from alone, joining a long list of victims such as Walmart, Ikea, McDonald’s and many others. A 2022 State of Ransomware report by Security Boulevard showed that retail ransomware incidents jumped a whopping 67 percent over 2021. According to Cyberint, the retail industry was the third most targeted industry last year, accounting for 14 percent of all ransomware attacks observed by the firm.
Attack vectors tend to come via outdated or unpatched software, phishing attacks aimed at employees or malware designed to steal information, such as login credentials or other sensitive data.
The company declined a WWD request for comment while the investigation is ongoing, so it’s not evident if any of those avenues were used here.
According to activity spotted by Callow, ALPHV reportedly informed company leadership of its attack on July 15 through corporate and personal email accounts. Estée Lauder did not respond, the group claimed, and so the company was listed on its leak site on Tuesday.
So far, at least one of the groups seems to be making good on its threats. On Wednesday, Clop apparently released client information from PriceWaterhouseCoopers, making it available for online download.