Incidents

Yves Rocher, the largest cosmetics company, suffers a data breach; all customers’ information leaked

Not only large tech companies, enterprise services, banking institutions or government organizations are affected by the activities of malicious hackers. This time, web application security specialists reported a data breach in a third-party service that has resulted in the data leakage of millions of customers of the major French cosmetics company Yves Rocher.

The incident occurred due to the poor configuration of a database of the tech company Alzinet, specialized in digital transformation and which, in addition to Yves Rocher, works for other large companies, such as Lacoste.

A group of web application security experts
from the vpnMentor firm managed to access one of the company’s confidential
databases, where the records of around 2.5 million Yves Rocher customers in
Canada were stored. Among the data exposed during the incident are:

  • Full
    names
  • Phone
    numbers
  • Email
    addresses
  • Birth
    dates

In addition to this personal data, researchers
accessed the records of more than six million company operations data,
including order amount, currency used for payment, delivery dates and location
of the store to which the purchase orders were placed.

As if that wasn’t enough, web application
security experts discovered that each order is linked to a unique customer
identification key. “By comparing the company’s customer records with
purchase orders it was possible to identify which users placed each order,”
the experts added.

The data breach not only exposed information
from the company’s customers. In their report, experts mention that the
database also stored data about Yves Rocher’s operations, including some
metrics on users’ traffic in some branches, sales and order volumes, details
about some products, raw material data and sales codes.

According to web application security
specialists from the International Institute of Cyber Security (IICS), the
leaked information about the company’s internal operations could be a matter of
great interest to some of its competitors, so the exposing this database is a
really inconvenient issue for everyone involved. “If other companies
accessed this information they would have the resources to deploy marketing
campaigns specifically targeted to Yves Rocher customers, leaving the company
at risk of losing a significant portion of its customers worldwide” the
experts added.

This is not the first time a cosmetics company
suffers a similar incident. A few weeks ago, thousands of Asian territory customers
of the French company Sephora
began receiving a notification from the company, informing that a large amount
of information was leaked from one of the company’s databases. Sephora asked
customers to reset their passwords, as well as offering information monitoring
services to prevent malicious use of the leaked data.

To Top

Pin It on Pinterest

Share This