Estee Lauder joins Mary Kay on MOVEit victim list


Estee Lauder announces its business operations have been impacted by an unauthorized party, making it the second cosmetics company to be claimed by the Cl0p ransom gang in the MOVEit attacks. Mary Kay Cosmetics was named by the hackers last week.

The New York City-based cosmetics giant put out a statement on its website Tuesday identifying the breach as a “cybersecurity incident” involving an “unauthorized third party that has gained access to some of the Company’s systems.”

Estee Lauder, also the parent company of MAC cosmetics, Bobbi Brown, and Tom Ford Beauty, said once aware of the breach, it “proactively took down some of its systems and promptly began an investigation with the assistance of leading third-party cybersecurity experts.”

“Based on the current status of the investigation, the Company believes the unauthorized party obtained some data from its systems, and the Company is working to understand the nature and scope of that data,” Estee Lauder stated.

The Cl0p ransomware gang, responsible for the spate of zero-day attacks exploiting a flaw in the MOVEit file transfer system this May, listed the company on its dark leak site, also on Tuesday.

The Cl0p group is claiming to have stolen 131GB of company data plus Estee Lauder archives.

“The amount of data that appears to be held for ransom is significant,” said Lior Yaari, CEO and co-founder of Israeli cybersecurity startup Grip Security.

Estee Lauder Cl0p MOVEit
Cl0p leak site

“This disclosure by Estee Lauder raises a lot of questions about how severe the breach was and what sensitive or confidential data is at risk,” Yaari said.

In its statement, the global cosmetics conglomerate admitted the cyberattack was “expected to continue to cause, disruption to parts of the Company’s business operations.”

“There is likely to be impacts to Estee Lauder’s employees, customers, or partner,” Yaari said.

Since June 14th, Cl0p has been publishing hordes of sensitive data – allegedly stolen from hundreds of victim companies worldwide using the MOVEit Transfer software – once a victim refuses to negotiate with or pay a ransom to the gang.

Moreover, since Estee Lauder posted the news on its website Tuesday, it seems another hacker group with ties to Russia, BlackCat, is also getting in on the action.

Meantime, the Mary Kay corporation was previously listed as a victim on the Cl0p leak site on July 12th.

Cybernews has reached out to both Estee Lauder and Mary Kay (last week), but neither have responded at the time of this report.

So far, the Cl0p gang has not posted any information regarding files possibly stolen from Mary Kay.

Mary Kay Cl0p MOVEit

Infamously known as a multi-level marketing company that awards its salesforce with a 'Pink Cadillac,' the Mary Kay corporation currently has independent beauty consultants operating in over 40 countries worldwide.

The Texas-based Fortune 500 company was founded by American businesswoman Mary Kay Ash in 1963 and has grown to include a robust research and development program and many social initiatives to empower women.

Mary Kay’s annual revenue was listed at $2.7 billion by Forbes in 2022. By comparison, Estee Lauder's 2022 revenue was listed at $17.8 billion.

MOVEit victims in the triple digits

So far, experts predict that more than 230 organizations have fallen victim to the MOVEit attacks, with the estimated number of exposed people exceeding 17 million.

Made by Progress, an American software company, the extent of the exposed data depends on how the company uses the file transfer system.

Cl0p is known for its “double-extortion” technique of stealing and encrypting victim data, refusing to restore access, and publishing exfiltrated data into its data leak site if the ransom is not paid.

Citing failed negotiations on Tuesday, the gang published over 3T of data from online broker platform TD Ameritrade and global accounting firms Ernst & Young (EY) and Pricewaterhouse Coopers (PWC).

Shell Global was the first victim to be named out of over 180 companies now listed on Cl0p leak site.

Other victims this past week include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, and Johns Hopkins University and Health System.

Big brand victims include Shutterfly, Warner Bros Discovery, AMC Theatres, Honeywell, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.

Last week, Cybernews was able to confirm ING Bank, as well as three other major European banks – Deutsche Bank, Postbank, and Comdirect – were also impacted by the attacks through a common third-party vendor, Majorel.

Earlier MOVEit victims from June included Sony, Siemens Energy, the NYC Department of Education, and several US government agencies, including the Department of Energy and Health.

New evidence, exclusive to Cybernews, points to the fact that the pro-Russian gang is still operating in secret within Ukrainian borders.

US officials are offering a $10 Million dollar bounty on the Cl0p gang.