On January 30th 2020, security researcher Jeremiah Fowler discovered a database online that contained thousands of records. The internet-facing database had no password protection in place, contained a total of 440,336,852 records, and was connected to the cosmetics giant, Estee Lauder.
Estee Lauder issued the following statement:-
“On 30th January, 2020, we were made aware that a limited number of non-consumer email addresses from an education platform were temporarily accessible via the internet. This education platform was not consumer facing, nor did it contain consumer data. We have found no evidence of unauthorized use of the temporarily accessible data. The Estee Lauder Companies takes data privacy and security very seriously. As soon as we became aware, we took immediate action to secure the data and notify appropriate parties.”
Jeremiah Fowler said :-
“The database appeared to be a content management system that contained everything from how the network is working to references to internal documents, sales matrix data, and more., as soon as I saw email addresses, I was able to validate these were real people and immediately contacted Estee Lauder.”
To the best of Fowler’s knowledge, there were not any payment data or sensitive employee information. However, he does qualify this by adding that the database access was closed before he could validate all 440 million records.