$76-billion-dollar retail giant Estée Lauder (EL) suffered a breach of a reported 440 million records, including customer data. The breach resulted from a non-password-protected cloud server. Importantly, it does not appear that any payment information was part of the breach.
The company was notified of the breach by an independent security researcher, who notified the company after discovering the open records on the web. The company reportedly responded in a timely manner, blocking access to the unprotected server and records.
A few takeaways from this case to understand the potential financial implications of a significant data loss breach like this:
- EL didn’t know it had been breached—this is not unusual. The vast majority of companies do not know when they have been breached. External notifications of cloud-server-related breaches are especially common. One major cloud vendor used by half the Fortune 100 misconfigured an AWS server and left a terabyte of data exposed. And, IBM recently pointed to misconfigurations as the primary cause of most data loss breaches globally.
- A customer data breach is important, but not as damaging as a business disruption breach. This is true even for a retail company in a competitive sector where reputation is at a premium. Unlike other high-profile customer data breaches, like Home Depot in 2014, no customer payment information was determined exposed. Companies can recover more easily from these breaches compared to business disruptions (like ransomware) that tend to be financially costly in the near-term, as well as expensive to repair damage caused in the longer-term. Companies like Home Depot may take a short-term hit, but, if the right steps are taken to improve governance, share price and overall growth trajectories can quickly recover. The same is not true of business disruptions where share price losses can endure for six to nine months, causing the company to lose considerable ground to peers.
- Looking through a CyFi lens, minimal financial impact. Looking at this through a cyber-financial (CyFi) lens, EL monetizes data by storing and organizing it, extracting customer behavioral insights to better anticipate what customers and potential customers want to buy. Customer data loss breaches that do not involve customer financial information typically do not negatively impact customer churn, sales revenues, or margins, but rather generate a brief period of negative headlines.
This is not to say that a breach of this scale is not important. Based on the known facts, EL appears to have poorly managed its technology stack, something that could put the company at risk of a more damaging breach in the future if corrective actions are not taken.