Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

Aliznet exposed database leaks data on 2.5 million Yves Rocher customers

down-arrow

Personal information on customers of French retail consultancy Aliznet were exposed through an unprotected Elasticsearch server.

“The most sensitive leaked data involves [2.5 million Canadian] customers of Aliznet’s client Yves Rocher, an international cosmetics and beauty brand,” according to a blog post by vpnMentor, whose research team led by Noam Rotem and Ran Locar discovered the breach. The information exposed included “customers’ full personally identifiable information (PII) were exposed, along with detailed records of their orders.”

The researchers said the records “revealed something potentially sensitive called an FID number for each customer” that might be tied to shipping or taxes as well as unique customer IDs assigned to individuals.

“Managing the extensive supply chains that global enterprises rely on today can be a cumbersome process, especially with legacy GRC tools or spreadsheets,” said George Wrenn, CEO and Founder of CyberSaint Security. “From a purchaser perspective, businesses need to be aware and increasingly diligent when it comes to sourcing a vendor, especially when dealing with the sensitive information that we see in this case.”

Researchers also discovered another serious vulnerability in the exposed Elasticsearch server that allowed them “to access the API interface for an application created by Aliznet for Yves Rocher” and intended for use by the company’s employees, they wrote. “After examining the interface, our researchers believe that it would be possible for someone to easily log in to the system using an employee ID” that the Aliznet leak exposed.

“For companies such as Yves Rocher who contracted with Aliznet, it is a tough situation, because you put trust in your third-party contractors to create a secure application that can deliver you results,” said Lecio DePaula, data privacy director at KnowBe4, who noted that the Aliznet breach is just one more example of the potential “catastrophic results” of a misconfiguration or error. “This situation highlights why it is extremely important to have a third-party information security/privacy risk management program that is able to perform due diligence on software or services that an organization is developing or has developed, especially if it will be housing customer data.”

Since the breach crossed international borders, it could present a privacy challenge for Aliznet and Yves Rocher. “Since the impacted consumers were Canadian, this can have far reaching impacts for Yves Rocher and Aliznet due to data protection regulations such as PIPEDA and other Canadian provincial privacy laws,” said DePaula. “These laws have mandatory breach reporting requirements and organizations are now vulnerable to high fines under the regulation.”

This post originally appeared on SC Media - read it here

You may also like

CyberSaint Recognized in ...
on October 28, 2024

BOSTON— (BUSINESSWIRE)— CyberSaint, a leader in cyber risk management, was recognized in Gartner’s Innovation Insight: Cyber GRC Streamlines Governance report as a Representative ...

CyberSaint Recognized in 2024 ...
on August 21, 2024

BOSTON--(BUSINESS WIRE)--CyberSaint, a leader in cyber risk management, was recognized in the 2024 Gartner Hype Cycle™ for Cyber Risk Management as a Sample Vendor for Cyber ...

STRONGER 2024 Conference ...
on July 31, 2024

BOSTON--(BUSINESS WIRE)--CyberSaint, the leader in cyber risk management, today announced that attendee registration is now open for its annual STRONGER conference; the ...

CyberSaint Enables Customers to ...
on July 29, 2024

In today’s fast-paced business environment, CISOs must navigate the constant daily flood of data while prioritizing risk buy-down in the areas most likely to affect their ...

Jerry Layden
CyberSaint Launches NIST CSF ...
on May 8, 2024

BOSTON--(BUSINESS WIRE)--CyberSaint, the leader in cyber risk management, announced today the release of the NIST Cybersecurity Framework (CSF) Benchmarking Feature, which allows ...

CyberSaint Announces $21M in ...
on March 20, 2024

Boston, MA – March 20th, 2024 – CyberSaint, the leader in cyber risk management, today announced the company has raised $21M in Series A funding led by Riverside Acceleration ...