Two ransomware gangs have breached the multinational cosmetics company The Estée Lauder Companies, with one attack being an apparent MOVEit data breach.
The MAC cosmetics, Bobbi Brown, and Tom Ford Beauty parent company said it took down systems and promptly began an investigation with leading third-party cybersecurity experts after third parties compromised its network.
Meanwhile, BlackCat/ALPHAV and Clop ransomware groups have claimed responsibility for two separate attacks on Estée Lauder and threatened to leak its data.
Two ransomware gangs breach cosmetics giant
Estee Lauder has confirmed leaking company data via a “cybersecurity incident” but has yet to determine the nature of the stolen information.
“Based on the current status of the investigation, the Company believes the unauthorized party obtained some data from its systems, and the Company is working to understand the nature and scope of that data,” Estee Lauder stated.
The cosmetics company has also notified relevant law enforcement and filed a data breach notification with the Security Exchange Commission (SEC).
Additionally, the company had implemented additional security measures to prevent further exploitation and was working to restore the impacted systems.
Meanwhile, Estee Lauder anticipates the cyber incident will disrupt the company’s business operations.
“During this ongoing incident, the Company is focused on remediation, including efforts to restore impacted systems and services. The incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations,” the company said.
Commenting on the Estee Lauder cyber incident, Erich Kron, a security awareness advocate at KnowBe4, warned such attacks could overwhelm organizations, severely impacting production.
“In these days, when timing is critical for the production of items, cyberattacks can cause far more issues than many organizations are prepared for. Ransomware can seriously impact production, and data theft can lead to very significant regulatory fines, especially for multinational or global organizations,” noted Kron.
Although Estée Lauder withheld the threat actor’s identity, one of the most prolific Russian ransomware gangs BlackCat/ALPHAV, has claimed responsibility. The cyber gang listed Estée Lauder on its breach site after allegedly contacting the company on July 15, 2023, and receiving no reply. Additionally, BlackCat/ALPHAV claims to have maintained access to the company’s network despite Microsoft and Mandiant allegedly responding to the attack.
Nevertheless, the ransomware gang has denied encrypting the company’s computer systems. Pure extortion attacks are more frequent with ransomware gangs such as Clop and Lapsus$, skipping the encryption process and focusing on stealing sensitive information.
“We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe their data was worth a lot more,” the group said.
Threatening to publish the stolen data unless Estée Lauder pays the ransom, BlackCat/ALPHAV claims to have stolen customers, employees, and suppliers’ information.
“The amount of data that appears to be held for ransom is significant, so there is likely to be impacts to Estee Lauder’s employees, customers, or partners.” – Lior Yaari, CEO and co-founder of Grip Security.
According to Stephan Chenette, Co-Founder and CTO at AttackIQ, the Estee Lauder ransomware attack was a reminder that “ransomware attacks are not slowing.”
“Ransomware attacks are an ever-looming threat; as reported in the 2023 DBIR Verizon Report, ransomware is present in more than 62% of all incidents committed by organized threat groups and 59% of all incidents with a financial motivation,” observed Chenette.
Estée Lauder suffered a MOVEit data breach
Earlier, the Clop ransomware gang listed Estée Lauder on its data leak site claiming to have stolen 131GB of data in an apparent MOVEit data breach. Clop ransomware gang posted a brief statement on its MOVEit data breach site claiming “the company doesn’t care about its customers” and has “ignored their security.”
Meanwhile, BlackCat has distanced itself from the Estée Lauder MOVEit data breach, suggesting that the two ransomware gangs independently breached the cosmetics company.
“And another note to the public, ELC [has] been attacked by our colleagues at Cl0p regarding the MOVEit vulnerability attacks. We have reiterated to ELC that we are not associated with them and that this is completely separate,” BlackCat said.
Both ransomware gangs have not published data samples to validate their claims. It remains unclear if the MOVEit data breach originated from the company or a third-party vendor.
“While the two groups exploited different vulnerabilities, it brings up an important phenomenon,” said Avishai Avivi, CISO at SafeBreach. “Malicious actors recycle and reuse vulnerabilities and malware toolkits. Our research indicates that the same 16 MITRE ATT&CK Tactics, Techniques, and Procedures (TTP) have been used in 90% of observed attacks.”
Brad Hong, Customer Success Lead at Horizon3.ai, believes that Estée Lauder’s MOVEit data breach and the subsequent cyber intrusion were historically significant.
“This is one of the most interesting developing case studies of recent ransomware history–two individual ransomware groups, uncoordinated, managed to get into a brand name enterprise company at the same time. Initial reports indicate that they did not hack into ELC’s infrastructure from the same attack vector,” said Hong.