Another day, another breach, this time involving cosmetics retailer Sephora. Earlier this week, reports stated that there had been leaks of the personal details of Sephora’s online customers, including those in countries like Singapore, Malaysia, Thailand, Indonesia, Philippines, New Zealand and Australia.
The data has since found its way on the dark web, as hackers have been trying to make a profit by selling databases of around 3.7 million Sephora customer records, containing information that includes customers’ names, email addresses, login details, encrypted passwords, IP addresses, personal details and beauty preferences.
Sephora’s Managing Director of Southeast Asia, Alia Gogi, has gone on record to unconvincingly say that while some personal information may have been exposed to unauthorised third parties, no credit card information was accessed and that the company had “no reason to believe that any personal data has been misused”.
It may be true that no credit card information or decrypted passwords were leaked. However, there are still plenty of ways for today’s cybercriminals to misuse the leaked data, for example through social engineering or highly targeted spear phishing attacks.
CSA reached out to security experts at Synopsys and HackerOne, who agreed to share some of their thoughts on the incident and how companies can avoid suffering similar breaches. The full comments are as follows:
Nabil Hannan, Managing Principal at Synopsys Software Integrity Group
"At first, the Sephora breach seems as mysterious as beauty products are to most men. Given how they found no major vulnerability (based on their efforts to find the vulnerability) doesn’t mean that data could not have been leaked. There are two things that immediately come to mind when reading the statement from Sephora’s managing director.
The first being that they say there is “no reason to believe that any personal data has been misused” – this is very hard to claim given they have made a statement that user data has been breached, including things like first and last name, date of birth and gender. It’s not possible to determine how this data may have been misused after the breach.
Another thing about this incident that stands out is the fact that they did a review of their software, but found no major vulnerability. Sometimes a vulnerability may not be required for a breach to occur. Organisations also need to consider that potential malicious insider threats may exist. For example, when looking at where the database was breached, it’s important to understand the threat model of the system, and determine things like who had access to the database and if they really needed to have access.
These types of breaches highlight the importance of conducting a holistic assessment of the full software ecosystem through threat modelling or architecture risk analysis to determine if there are flaws in how the software is designed that could be used maliciously by an insider to result in such a breach, even when there may not be any major security bug in the software components."
Laurie Mercer, Sales Engineer, EMEA, HackerOne
"Sephora has responded very responsibly to this data breach, notifying customers and reviewing its security systems so customers can be confident in the company that is now doing the right thing by them.
However, while consumers do place trust in companies to keep their data secure, when they learn of a data breach like this, I’d recommend they also take precautionary steps to secure their data regardless of whether or not they think they’ve been affected to avoid any nasty surprise years down the line. In a case like this, keeping vigilant for spam and phishing emails is going to be key after such a breach.
Breaches like this also drive home the point that every company should have a formal process to accept vulnerability reports from external third parties. A Vulnerability Disclosure Policy or Security@ email is the best way to ensure that when someone sees something exposed, they can say something."