Yves Rocher is the latest company to suffer from a data leak. In all, 2.5 million Canadians have been exposed thanks to an unprotected ElasticSearch server.
Another day, another security incident. This time, Yves Rocher is the latest victim. In all, about 2.5 million Canadians have been exposed from the leak. The leak is being blamed on an unprotected Elasticsearch server owned by Aliznet. More from ThreatPost:
Researchers with vpnMentor on Monday said that they discovered an unprotected Elasticsearch server owned by Aliznet, which provides consulting services to large firms including IBM, Salesforce, Sephora and Louboutin. The server contained data about international cosmetics and beauty brand Yves Rocher, which is one of Aliznet’s clients, as well as exposing full personal identifiable information of millions of Yves Rocher customers.
“The biggest impacts will be felt by Aliznet, its client Yves Rocher, and the retail company’s end customers,” researchers said in a security alert posted Monday. It added: “The Aliznet leak has wider-reaching consequences than the impact on individual customers. The data breach impacts Aliznet’s clients who placed their trust in the company to protect their sensitive information. One concern is that Aliznet may have other unsecured databases and applications that haven’t been discovered yet. That means other clients of Aliznet may be at risk.”
Neither Aliznet not Yves Rocher responded to a request for comment from Threatpost. A vpnMentor spokesperson told Threatpost that the database was secured shortly after the exposure was disclosed to Aliznet.
Researchers said they could view the personal data for 2.5 million Canadian customers of Yves Rocher through the unprotected database, including first and last names, phone numbers, email addresses, date of birth and zipcodes. In addition, researchers were able to view records of more than 6 million customer orders for Yves Rocher. Each order was linked to a unique customer ID; researchers were able to use the leaked personal data records to identify individuals who placed orders through their IDs.
This isn’t even the first security incident we were able to report on this month. Just the other day, we reported on the brutally ironic story of cybersecurity firm Imperva suffering from a data breach. As is seemingly the case every month, this month is shaping up to be a rather busy one on this front.
Drew Wilson on Twitter: @icecube85 and Facebook.