RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Yves Rocher Vostok

Company

width=200px
Perfumery. Cosmetics sales of goods.

Content

300px

The grade of Yves Rocher cosmetics is present at the Russian market since 1991. As of 2014 in Russia there are 300 boutiques of the company in 117 cities and 30 SPA salons in 21 cities.

History

2019: The given 2.5 million clients of Yves Rocher appeared in open access

On September 4, 2019 the Zecurion company reported that cyber security specialists got access to confidential data of millions of clients of the company. According to the head of analytical center Zecurion Vladimir Ulyanov, the competing cosmetic companies can use this information for enticement of clients that will affect big financial losses for Yves Rocher.

Yves Rocher

Specialists from vpnMentor could get access to the unprotected database containing information about 2.5 million Canadian clients of Yves Rocher. It contained names, phone numbers, the e-mail addresses, dates of birth and zip codes. In the same place information about more than 6 million customer orders, including a transaction amount, the used currency, delivery date and location of shop contained. Data in open form were stored on servers of the French consulting company Aliznet rendering Yves Rocher IT services.

Also experts detected service data of Yves Rocher, including: statistics of traffic of shop, turnovers and order amounts, product descriptions and ingredients for more than 40,000 products and also the prices and product codes. This information can be interesting to competitors of the company, allowing them to estimate sales of shop, order amounts and other trade data.

File:Aquote1.png
"Each order is connected with a unique identifier of the client. Using the compromised data of buyers, we could identify each person who placed the order" — researchers reported.
File:Aquote2.png

File:Aquote1.png
As practice shows, attraction to work of IT contractors often multiply increases a possibility of a compromise of these clients of the company. Recently we already observed several similar incidents when, for example, giants like Apple trusted wiretap of a talk of users using the voice assistant to the outsourcing company. To good it did not bring. To the companies I can recommend to operate with client data independently and to use modern DLP solutions for information loss prevention,
explained Vladimir Ulyanov
File:Aquote2.png

Also the vpnMentor command detected the vulnerability of API allowing them to get access to the application created for the staff of Yves Rocher by Aliznet company. Using the employee identifiers detected as a result of the previous leak hackers could log in under the guise of personnel of the company and obtain even more data on clients and their purchases.[1]

Notes