Estée Lauder Companies, the organisation behind global cosmetics brands such as Aveda, Clinique, Estée Lauder, Mac and Origins, has suffered a cyber attack that appears to have been the work of two distinct groups, namely the ALPHV/BlackCat and Clop ransomware operations.
Full details of the still-unfolding incident have yet to emerge, but in a statement, the organisation said it believed it has resulted in data exfiltration. It is currently seeking to establish the nature and scope of that data.
In a statement, the group said: “The Estée Lauder Companies Inc has identified a cyber security incident, which involves an unauthorised third party that has gained access to some of the company’s systems.
“After becoming aware of the incident, the company proactively took down some of its systems and promptly began an investigation with the assistance of leading third-party cyber security experts. The company is also coordinating with law enforcement.”
The organisation said it was currently implementing further measures to secure its operations and would take additional steps if needed. It added that it remains fully focused on remediation, including attempts to restore impacted systems, but acknowledged that the incident has and will continue to cause disruption to parts of its operations.
Meanwhile, the disclosure has attracted attention in the security community since both BlackCat and Clop have claimed responsibility.
On 18 July, Clop, the ransomware-cum-extortion operation behind the ongoing MOVEit Transfer breach, named Estée Lauder Companies on its dark web leak site, following either the failure or non-occurrence of negotiations.
At the same time, the gang named a number of other victims, according to researcher Dominic Alvieri, including American Airlines and comms regulator Ofcom, which has already disclosed it was victimised in the MOVEit incident.
It remains unknown if Estée Lauder Companies was itself a user of Progress Software’s MOVEit Transfer file transfer tool, which was first attacked via a zero-day by Clop almost two months ago, or whether it was compromised, as many others have been, via a third-party supplier.
Later in the evening, BlackCat also named Estée Lauder Companies to its own website. No details of how it supposedly accessed the victim’s systems have been made public. Other recent victims claimed by the highly active gang include Barts NHS Trust and storage supplier Western Digital.
In screengrabs shared by Emsisoft’s Brett Callow via Twitter, a Clop representative claimed it had extracted 131GB of data from Estée Lauder Companies. Its representative posted: “The company doesn’t care about its customers, it ignored their security!!!”
A BlackCat representative wrote: “Estée Lauder, under the control of a family of billionaire heirs. Oh, what these eyes have seen. We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe their data was worth a lot more.
“And another note to the public, ELC been attacked [sic] by our colleagues at Cl0p regarding the MOVEit vulnerability attacks. We are not sure if anything came of this, but we only knew because they mentioned it in their emails.
“We have reiterated to ELC that we are not associated with them and that this is completely separate.”