Estée Lauder took some of its systems down as a proactive measure in response to a cyberattack that involved the theft of corporate data, the company said Tuesday.
The ALPHV ransomware group, which claims to be behind the attack, said it first contacted Estée Lauder leadership via corporate and personal email accounts on July 15. The group claims Estée Lauder has not responded and listed the company on its leak site Tuesday, according to activity observed by Emsisoft Threat Analyst Brett Callow.
ALPHV claims it has more than 131 GB of Estée Lauder data, Callow said.
Estée Lauder confirmed an unauthorized threat actor gained access to its systems and stole data in a filing with the Securities and Exchange Commission. The company said cybersecurity experts and law enforcement are assisting with an ongoing investigation.
“During this ongoing incident, the company is focused on remediation, including efforts to restore impacted systems and services. The incident has caused, and is expected to continue to cause, disruption to parts of the company’s business operations,” Estée Lauder said in the filing.
The New York City-based cosmetics conglomerate did not respond to a request for comment.
“Oh, what these eyes have seen,” ALPHV said in its post on the dark web, according to Callow. “We will not say much for now, except that we have not encrypted their networks.”
ALPHV, also known as BlackCat, threatened to reveal more information about the data it claims to have stolen if Estée Lauder does not respond to its demands.
Clop, the ransomware group behind the MOVEit file-transfer service compromise, also claimed it had breached Estée Lauder, posting the company on its leak site Tuesday. ALPHV asserts it is not associated with Clop and described its intrusion as a “completely separate” attack.
“I’m not aware of any evidence indicating the incidents are linked,” Callow said via email. “In fact, I’m not aware of any evidence that ALPHV even attacked Estée Lauder. This could simply be attention-seeking.”
The trove of sensitive information now in the hands of Clop, via the mass exploit of the MOVEit vulnerability, could help enable more attacks by different threat groups against the already victimized company, Callow said.
“The more information is available, the easier business email compromise attacks and other identity-related fraud become,” Callow said.