Estée Lauder Breached in Twin MOVEit Hacks, by Different Ransom Groups

The cosmetics conglomerate was apparently breached through the infamous MOVEit flaw by both Cl0p and BlackCat, at roughly the same time.

Estee Lauder lipsticks
Source: Keith Homan via Alamy

Both the Cl0p and BlackCat ransomware gangs posted messages bragging about breaching Estée Lauder by way of the MOVEit flaw on the same day — but the two instances aren't related.

On July 18, Estée Lauder Cos. disclosed a "security incident," adding cyber-threat actors were able to compromise some data and that an investigation was ongoing. The company said some systems were shut down as a result of the hack.

"The company is implementing measures to secure its business operations and will continue taking additional steps as appropriate," the disclosure said. "During this ongoing incident, the company is focused on remediation, including efforts to restore impacted systems and services. The incident has caused, and is expected to continue to cause, disruption to parts of the company's business operations."

The same day, both BlackCat and Cl0p claimed to have breached Estée Lauder using the MOVEit flaw. Emsisoft threat analyst Brett Callow shared images of the messages from both groups.

Twice the Data Theft, Twice the Cyber-Risk

"We will not say much for now, except that we have not encrypted their networks," the BlackCat group wrote in its Dark Web posting claiming credit for one of the cyberattacks. "Draw your own conclusions for now. Maybe the data was worth a lot more."

A briefer claim from Cl0p said the group has 131GB of data, plus archives belonging to Estée Lauder.

In its posting, BlackCat confirmed that the group's breach was completely separate from the Cl0p incident: "ELC has been attacked by our colleagues at Cl0p regarding the MOVEit vulnerability attacks. We have reiterated to ELC that we are not associated with them."

Callow says the coincidence isn't as surprising as it may seem on the surface.  "As far as I’m aware, there’s no reason to believe the incidents are related," Callow explains to Dark Reading. "Given the very large number of organizations impacted by MOVEit, it’s inevitable that some will have other, unrelated incidents in close proximity."

And, as if two cyberattacks on the same day weren't enough, Callow says Estée Lauder's stolen data could be used in follow-on offensives.

"The possibility exists that the data stolen by Cl0p may be being used to spear phish victims in fresh attacks," Callow says.

Other organizations which have been breached using the MOVEit flaw include British Airways, government agencies, Norton, UCLA, Siemens, Shell, and many, many more.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights