Content
Aliznet exposed database leaks data on 2.5 million Yves Rocher customers
Personal information on customers of French retail
consultancy Aliznet were exposed through an unprotected Elasticsearch server.“The most sensitive leaked data involves [2.5 million
Canadian] customers of Aliznet’s client Yves Rocher, an international
cosmetics and beauty brand,” according to a blog post by
vpnMentor, whose research team led by Noam Rotem and Ran Locar discovered the breach.
The information exposed included “customers’ full personally
identifiable information (PII) were exposed, along with detailed records of their orders.”The
researchers said the records “revealed something
potentially sensitive called an FID number for each customer” that
might be tied to shipping or taxes as well as unique customer IDs assigned to individuals."Managing the
extensive supply chains that global enterprises rely on today can be a
cumbersome process, especially with legacy GRC tools or spreadsheets,” said George
Wrenn, CEO and Founder of CyberSaint Security. “From
a purchaser perspective, businesses need to be aware and increasingly
diligent when it comes to sourcing a vendor, especially when dealing with
the sensitive information that we see in this case.” Researchers also discovered another serious vulnerability in the exposed Elasticsearch server that allowed them "to access the API interface for an application created by Aliznet for Yves Rocher” and intended for use by the company’s employees, they wrote. “After examining the interface, our researchers believe that it would be possible for someone to easily log in to the system using an employee ID” that the Aliznet leak exposed.“For companies such as Yves Rocher
who contracted with Aliznet, it is a tough situation,
because you put trust in your third-party contractors to create a secure
application that can deliver you results,” said Lecio DePaula, data
privacy director at KnowBe4, who noted that the Aliznet breach is just one more
example of the potential “catastrophic results” of a misconfiguration or error.
“This situation highlights why it is extremely important to have a third-party
information security/privacy risk management program that is able to perform
due diligence on software or services that an organization is developing or has
developed, especially if it will be housing customer data.”Since the breach crossed international borders, it could present
a privacy challenge for Aliznet and Yves Rocher. “Since the
impacted consumers were Canadian, this can have far reaching impacts for Yves
Rocher and Aliznet due to data protection
regulations such as PIPEDA and other Canadian provincial privacy laws,” said
DePaula. “These laws have mandatory breach reporting requirements and
organizations are now vulnerable to high fines under the regulation.”
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds