Estée Lauder Data Breach: MOVEit Zero-Day Exposes Sensitive Data

Estée Lauder breach exposes sensitive personal data

The Estée Lauder data breach in 2023, driven by a MOVEit Transfer zero-day vulnerability, led to the exposure of sensitive health information and Social Security numbers. This high-profile incident highlights the dangers posed by unpatched software and coordinated attacks by multiple threat actors.

Timeline and Key Events of the Estée Lauder Data Breach

The breach at Estée Lauder unfolded over several months in 2023, revealing the complex and evolving nature of modern cyber attacks. Two notorious ransomware groups, Cl0p and ALPHV/BlackCat, both targeted the company, exploiting the same vulnerability to achieve different criminal aims.

  • 30 May – 1 June 2023: Attackers infiltrated Estée Lauder’s network by exploiting a zero-day flaw in their MOVEit Transfer file-sharing software. This breach window predates public awareness of the vulnerability and allowed unauthorised data access.
  • 31 May 2023: Progress Software disclosed and patched the MOVEit Transfer vulnerability (CVE-2023-34362). At this stage, many organisations, including Estée Lauder, had not yet updated their systems.
  • 18 July 2023: Estée Lauder announced it had identified a cybersecurity incident, isolated affected systems, and warned of ongoing operational disruption.
  • 19 July 2023: Both Cl0p and ALPHV/BlackCat claimed responsibility for the breach. Each group listed Estée Lauder on their extortion leak sites, threatening to publish stolen data unless ransoms were paid.
  • July–August 2023: BlackCat actors maintained a presence in Estée Lauder’s environment, attempting further operations. The company worked to remediate the breach and assess the scope of the compromise.
  • 31 August 2023: Estée Lauder filed breach notifications with US authorities, revealing the compromise of personal data such as names, dates of birth, and credentials.
  • 18 October 2023: Further notifications detailed the late May attack, confirming exposure of full names, birth dates, Social Security numbers, and health information, mostly affecting employees and related parties.

This timeline demonstrates how threat actors raced to exploit the MOVEit zero-day, with Estée Lauder caught between overlapping attacks from two groups. The company’s phased notifications reflect the ongoing discovery of the full breach impact over the following months.

Technical Details: MOVEit Zero-Day and Attack Methods

The root cause of the Estée Lauder breach was a critical SQL injection vulnerability in the MOVEit Transfer application. This flaw (CVE-2023-34362) allowed attackers to send crafted SQL commands via the web interface, leading to remote code execution on the MOVEit server. The vulnerability affected all unpatched MOVEit Transfer versions on Windows platforms available before 31 May 2023.

Attackers exploited this weakness by uploading a malicious web shell to the MOVEit server. This web shell, later dubbed “LemurLoot” by Microsoft researchers, enabled the attackers to:

  • Remotely access and control the MOVEit server
  • Exfiltrate large volumes of sensitive data from underlying databases
  • Maintain persistence for further exploitation or lateral movement

In Estée Lauder’s case, both Cl0p and BlackCat capitalised on the zero-day. Cl0p’s typical approach focused on mass data theft and extortion, quickly downloading HR records, employee details, and other personal data as soon as access was gained. BlackCat, meanwhile, extended the attack by moving laterally within Estée Lauder’s IT estate, seeking to escalate privileges and deploy ransomware. The operational disruption experienced by Estée Lauder strongly suggests that BlackCat’s activities included attempts to encrypt or otherwise sabotage critical business systems.

It is highly unusual for two threat groups to exploit the same vulnerability within a single victim organisation during the same period. The widespread impact of the MOVEit zero-day, however, created a scenario in which multiple criminal actors targeted Estée Lauder nearly simultaneously, maximising the data theft and operational impact.

Who Was Affected and What Data Was Exposed?

The Estée Lauder breach primarily affected employees and related individuals, with most victims located in the United States. Data compromised in the incident included:

  • Full names and dates of birth
  • Social Security numbers
  • Health and medical information
  • User account credentials, including passwords and security questions

While Estée Lauder’s initial disclosures suggested that general customer data was not impacted, subsequent filings confirmed that highly sensitive personal and health-related information was accessed in the first breach window, likely via HR and benefits records stored or transmitted through MOVEit Transfer.

Exploitation Status and Threat Actor Activity

The MOVEit Transfer vulnerability was actively and aggressively exploited in the wild as a zero-day in late May 2023. The Cl0p gang, in particular, orchestrated a broad campaign targeting many organisations globally, including Estée Lauder, before any public disclosure or patch was available. BlackCat’s involvement, with a reported window of activity from mid-July to late August, underscores how multiple attackers can independently leverage the same vulnerability if it remains unpatched.

No public proof-of-concept exploit code was available at the time of the attacks. This means the threat actors developed or acquired their own private exploits, giving them a decisive advantage over defenders and allowing them to compromise MOVEit Transfer installations before the security community became aware of the threat.

Indicators of compromise associated with the MOVEit attacks include unexpected .aspx web shell files in the application directories and signs of unauthorised data access or credential changes. Estée Lauder did not publicly release specific IOCs, but organisations running MOVEit Transfer should review their systems for signs of similar compromise.

Why This Breach Matters

The Estée Lauder data breach demonstrates how a single software vulnerability can enable multiple well-resourced threat actors to conduct overlapping attacks against the same target. The exposure of health data and Social Security numbers raises the risk of identity theft, fraud, and long-term harm for those affected. The breach also highlights the challenges of detecting and responding to zero-day exploits, especially when attackers act before any security patch or public warning is available.

What Organisations Should Do Next

Organisations using file transfer solutions such as MOVEit Transfer must ensure rapid patching, robust monitoring, and thorough review of access logs when new vulnerabilities are disclosed. Reviewing supplier security and incident response plans is also critical, as third-party software remains a common attack vector. In light of the Estée Lauder breach, timely vulnerability management is essential to prevent similar data exposures and business disruption.

Originally reported by Unknown.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

  • CISSP
  • ACA Chartered Accountant
  • MPhil
  • BSc
  • SOC 2
  • ISO 27001

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins

Related CyPro Services

  • Managed Detection and Response (MDR)

    Managed Detection and Response (MDR) is an end-to-end managed service designed to help organisations detect, analyse and respond to cyber threats quickly and effectively. It...
    View Service
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call