Estée Lauder Companies, the global cosmetics conglomerate responsible for popular brands such as Aveda, Clinique, Estée Lauder, Mac, and Origins, has fallen victim to a cyber attack perpetrated by two separate groups: ALPHV/BlackCat and Clop ransomware operations. While precise details surrounding the incident are still unfolding, the company has confirmed that data exfiltration has occurred and is currently assessing the extent and nature of the stolen information.
Taking swift action, Estée Lauder Companies proactively shut down certain systems and launched an investigation in collaboration with prominent cybersecurity experts and law enforcement agencies. The company is also implementing additional security measures to safeguard its operations and minimize the disruption caused by the attack. However, the full impact on the company's operations is yet to be determined.
This revelation has garnered significant attention within the security community, as both BlackCat and Clop ransomware groups have claimed responsibility for the incident. Clop, known for its ransomware attacks and extortion tactics, identified Estée Lauder Companies on its dark web leak site after purported negotiations failed or did not occur. The group also disclosed other victims, including American Airlines and Ofcom, the communications regulator, who were affected by the ongoing MOVEit Transfer breach.
It remains unclear whether Estée Lauder Companies utilized Progress Software's MOVEit Transfer file transfer tool, which previously suffered a zero-day exploit by the Clop group. Alternatively, the company may have been compromised through a third-party supplier, a common vulnerability exploited by cyber attackers. According to ZeroFox, Clop ransomware attacks follow a predictable pattern, starting with thorough reconnaissance before swiftly executing attacks focused on mass data exfiltration. Rather than encrypting data, Clop prioritizes stealing information, considering it quicker and less prone to failure. Ransom demands are typically issued within days, providing victims with details of stolen data and instructions to prevent publication. Victims have around 10-14 days to pay the ransom or negotiate with the attackers before being named on Clop's leak site. After being named, victims are given an additional 8-10 days to meet the demands before their data is made available for download. Paying the ransom during this period may result in the deletion of stolen data. The process can be extended through prolonged negotiations, leading to the publication of stolen information weeks after deadlines. This is especially observed in larger campaigns involving multiple victims.
In a similar vein, the BlackCat group also mentioned Estée Lauder Companies on its website without divulging specific details regarding their access to the company's systems. Notably, recent targets of BlackCat include Barts NHS Trust and Western Digital, a renowned storage supplier.
While the exact extent of the stolen data remains undisclosed, a representative from Clop claimed to have extracted 131GB of information from Estée Lauder Companies. Criticizing the company's purported disregard for security, the representative highlighted the perceived lack of concern for customer data. On the other hand, a BlackCat representative hinted at undisclosed revelations about Estée Lauder but clarified that they had not encrypted the company's networks.
Moving forward, Estée Lauder Companies faces the critical task of recovering from this cyber attack, fortifying its data protection measures, and restoring customer trust. This incident serves as a poignant reminder of the escalating cybersecurity threats faced by organizations across industries, emphasizing the urgent need for robust security protocols in the digital era. ###