Menu
Browse

Cyber Incident Victim: Estée Lauder Companies

Date:

Jul 2023

Location:

United States of America

Summary

The Estée Lauder Companies experienced a cybersecurity incident where an unauthorized third party gained access to some of its systems. The company took systems offline and launched an investigation, believing some data was taken. This incident caused significant disruption to business operations, which is expected to continue during ongoing remediation and restoration efforts.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 3 techniques
Threat Actors Type Location
0 actors Available to members Available to members

Description

On or around July 1, 2023, The Estée Lauder Companies Inc. identified a significant cybersecurity incident involving an unauthorized third party that had successfully gained access to some of the company's internal systems. This breach represented a serious intrusion into the digital infrastructure of one of the world's leading manufacturers and marketers of prestige beauty products. Upon discovery of the incident, the company's response was immediate and proactive; it took the decisive step of taking down some of its own systems to contain the threat and prevent further unauthorized access. This action, while necessary for security, initiated a period of disruption to the company's normal business operations. Concurrently, Estée Lauder promptly initiated a comprehensive investigation into the nature and scope of the breach. To ensure a thorough and expert analysis, the company engaged leading third-party cybersecurity experts to assist in the investigative process. Furthermore, recognizing the severity of the situation, the company began coordination with law enforcement agencies, a standard procedure in major cyber incidents to aid in the investigation and potential attribution of the attack.

Cyber Incident Image

The ongoing investigation revealed that the unauthorized party was not only able to access company systems but also managed to exfiltrate data. Based on the status of the investigation at the time of the public disclosure on July 18, 2023, the company believed that the threat actor had obtained some data from its systems. A critical aspect of the company's ongoing work was to understand the precise nature and the full scope of the data that was compromised. This process of forensic analysis is typically complex and time-consuming, involving detailed audits of system logs, data access patterns, and the specific datasets that were targeted. The company's public statements emphasized that the understanding of the incident was based on the current status of the investigation, indicating that further details might emerge as the probe continued and more information was uncovered. The potential types of data involved were not specified in the initial disclosure, leaving open questions about whether personal information, intellectual property, or other sensitive business data was affected.

In response to the incident, The Estée Lauder Companies Inc. began implementing a series of measures designed to secure its business operations against further attacks and to mitigate the damage already caused. The company also committed to continuing to take additional steps as appropriate, suggesting a dynamic and evolving response strategy that would adapt to new findings from the investigation. The primary focus during this period was on remediation efforts, which encompassed a wide range of activities aimed at restoring the company's operational integrity. A significant part of these remediation efforts involved the complex task of restoring the impacted systems and services that had been taken offline. This restoration process is often meticulous, requiring security teams to ensure that systems are not only functional but also hardened against future vulnerabilities before being reintegrated into the live network environment.

The incident caused immediate disruption to parts of the company’s business operations, and it was fully expected that this disruption would continue for an unspecified period. The proactive takedown of systems, while a crucial containment tactic, inherently leads to interruptions in business processes, supply chain logistics, internal communications, and potentially customer-facing services. The company acknowledged the challenges posed by this situation and publicly thanked its employees for their resiliency during a difficult and uncertain period. The message emphasized a collective effort to remain focused on the business, its consumers, and other stakeholders, highlighting an attempt to maintain operational continuity and uphold corporate responsibilities despite the significant cybersecurity challenge.

The public disclosure of the incident included a cautionary note regarding forward-looking statements, which is a standard legal practice for publicly traded companies. This note explicitly stated that the press release contained statements based on management's current expectations that were subject to risks and uncertainties. These uncertainties could cause actual results to differ materially from those expressed or implied. Specific risks mentioned included the potential for additional information regarding the extent of the cybersecurity incident to be uncovered during the ongoing investigation. This acknowledges the inherent uncertainty in the immediate aftermath of a breach, where the full picture often develops over weeks or months. Other cited risks were the company's ability to adequately assess and remedy the incident and the ultimate length and scope of the disruptions to business operations caused by the incident. This forward-looking statement served to manage investor and stakeholder expectations, noting that the situation was fluid and that the initial assessment might not represent the final outcome.

The Estée Lauder Companies Inc. is a global entity with a substantial portfolio of luxury and prestige brands, including Estée Lauder, Clinique, M•A•C, La Mer, Bobbi Brown Cosmetics, Aveda, Jo Malone London, TOM FORD, and Too Faced, among others. Its products are sold in approximately 150 countries and territories, indicating a vast and complex operational footprint. A cybersecurity incident of this nature, therefore, has the potential to affect a wide range of business units, geographic regions, and functional areas within the corporation. The global scale of its operations means that any systemic disruption can have ripple effects across its international supply chain, marketing activities, e-commerce platforms, and retail support systems. The company's role as a steward of its brands implies a deep responsibility for protecting not only its own corporate data but also the sensitive information of its customers, employees, and business partners, underscoring the gravity of the breach.

Throughout the incident, the company maintained a public posture focused on transparency to the extent possible, given the ongoing investigation and coordination with law enforcement. The initial disclosure provided key facts about the event: the unauthorized access, the system takedown, the engagement of external experts, the involvement of law enforcement, the belief that data was taken, and the expected ongoing business disruption. However, many specific details remained undisclosed at that early stage. The article did not specify the exact date of initial intrusion, the specific tactics, techniques, and procedures used by the threat actor, the exact systems that were accessed, or the precise type and volume of data that was exfiltrated. The lack of these details is common in initial disclosures, as companies must balance the public’s right to know with the integrity of the investigation and the need to prevent providing information that could be useful to the threat actors or could lead to inaccurate conclusions before a full forensic review is complete. The incident represents a significant event in the company's history, demonstrating the modern cyber risks faced by large multinational corporations and the complex, multi-faceted response required to address them.

Sources
Sources available to members
1 source