Multi-billion-dollar global makeup brand Avon is reeling as after a data leak exposed more than 19 million private records that were found on a publicly accessible database.
A team of security researchers at SafetyDetectives, led by Anurag Sen has said that they discovered the exposed database on an Azure server that contained no password or encryption protection.
“The vulnerability effectively means that anyone possessing the server’s IP address could access the company’s open database,” SafetyDetectives explained.
Avon is a global cosmetics company with more than $5 billion in sales each year. It was unwittingly exposing the database filled with up to 7GB of files for more than a week when the security researchers discovered it and notified the company.
“Given the type and amount of sensitive information made available, hackers would be able to establish full server control and conduct severely damaging actions that permanently damage the Avon brand; namely, ransomware attacks and paralyzing the company’s payments infrastructure,” the researchers wrote in a post.
According to their post, data implicated in the leak includes personally identifiable information like full names, phone numbers, dates of birth, email addresses, physical addresses, GPS coordinates, last payment amounts, names of company employees – suspected but not confirmed – as well as administrator user emails.
The server also contained more than 40,000 security tokens, OAuth tokens, Internal logs, Account settings, Technical server information, according to the researchers.
For more information about an Information Security Management System like ISO 27001 – Click here for your free ISO 27001 Gap Analysis Checklist.
The breach poses a number of potential dangers for customers and those connected to Avon, according to the team at SafetyDetectives. “Exposed details could potentially be used to conduct identity fraud,” as well as the fact that “users’ contact details could be harnessed to conduct a wide variety of scams.”
Avon has notified the Securities and Exchange Commission in two submissions, the first of which, on June 9 said that Avon had been impacted by “a cyber incident in its information technology environment which has interrupted some systems and partially affected operations.”
The second submission to the Securities and Exchange Commission added that “Avon is continuing the investigation to determine the extent of the incident, including potential compromised personal data… nevertheless, at this point it does not anticipate that credit card details were likely affected, as its main e-commerce website does not store that information.”
The data is also potentially extremely valuable to hackers and scammers looking to socially engineer their way into an organisation or the personal finances of a victim. SafetyDetectives explain that “personal information is also used by hackers to build up rapport and trust, with a long-term view of carrying out a larger magnitude intrusion in the future.”
The authors offer up a number of ways people can stay proactive when it comes to information security:
- Be cautious of what information you give out and to whom.
- Check that the website you are on is secure (look for https and/or a closed lock).
- Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.).
- Create secure passwords by combining letters, numbers, and symbols.
- Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be.
- Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust.
- Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks.
- Find out more about what constitutes cybercrime, the best tips to prevent phishing attacks, and how to avoid ransomware.
Implementing an Information Security Management System in your organisation is also one of the most effective ways of mitigating the risk of a data breach, as well as training your staff with best practices in terms of information security.