Two ransomware actors, ALPHV/BlackCat and Clop, have listed beauty company Estée Lauder on their data leak sites as a victim of separate attacks.
In a disgruntled message to the company, the BlackCat gang mocked the security measures, saying that they were still present on the network.
MOVEit data theft attack
In a Security Exchange Commission (SEC) filing on Tuesday, The Estée Lauder Companies confirmed one of the attacks saying that the threat actor gained access to some of its systems and may have stolen data.
The company did not provide too many details about the incident saying that it acted proactively and took down some systems to prevent attackers from expanding on the network.
An investigation is ongoing with the support of “leading third-party cybersecurity experts.” The company is also coordinating with law enforcement.
It appears that the Clop ransomware gang gained access to the company after exploiting a vulnerability in the MOVEit Transfer platform for secure file transfers.
The threat actor started leveraging the vulnerability when it was a zero-day in late May and claimed to have breached hundreds of companies for data theft extortion.
On their data leak site, Clop ransomware lists Estée Lauder with the simple message “The company doesn’t care about its customers, it ignored their security!!!” and a note that they have more than 131GB of the company’s data.
BlackCat pressing for negotiation
On Tuesday, BlackCat also added Estée Lauder to their list of victims but the entry is accompanied by a message showing the threat actor’s dissatisfaction towards the company’s silence to their extortion emails.
Referring to the security experts that Estée Lauder brought in to investigate, BlackCat said that despite the company using Microsoft’s Detection and Response Team (DART) and Mandiant the network remained compromised and they still had access.
The attacker also said that they did not encrypt any of the company systems, adding that unless Estée Lauder engages in negotiations they will reveal more details about the stolen data.
BlackCat hinted that the information exfiltrated could impact customers, company employees, and suppliers.
Estée Lauder’s lack of response to BlackCat’s communication indicates that the company will not engage in any negotiation with the threat actor.
In the SEC filing, the company informs that the focus is “on remediation, including efforts to restore impacted systems and services” and that the “incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.”