cosmetics photo

In late January, a non-password protected database containing more than 440 million records was discovered by security researcher Jeremiah Fowler. After further review, it was determined to be connected to New York-based cosmetic company Estée Lauder. The company was sent a responsible disclosure notice and restricted public access to the database on the same day that it was notified.

“The database appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more,” Fowler said. The email addresses were assumed to be part of a digital commerce or online sales activity used in a middleware system.

Security leaders need to participate in the broader security community. There’s an outdated belief that competitors don’t talk to each other. That’s not the case in cybersecurity. Every business faces the same threats and the same risks. This active gathering of threat intelligence and observing the experiences of others (and how they respond to an attack) is what sets the average security leader apart from the successful ones.

Exposure of confidential client information is not an incident that can be linked only to large companies. The proliferation of “cloud” services has left many IT departments scrambling to figure out how to merge the sometimes seemingly contradictory business and security demands. This is the same reason why the DoD has implemented the new CMMC requirement for all companies doing business with the US Government, effective June 2020.



Orr. (2020, February 17). Incident Of The Week: Security Researcher Uncovers 440 Million Records From Estée Lauder. Retrieved from