Two ransomware groups appear to have independently hacked the multinational cosmetics company Estée Lauder.
In a statement on Tuesday, the makeup manufacturer, which also owns brands such as Aveda, Clinique, and Tom Ford Beauty, admitted to a “cybersecurity incident” expected to cause “disruption to parts of the Company’s business operations.”
“Based on the current status of the investigation, the Company believes the unauthorized party obtained some data from its systems, and the Company is working to understand the nature and scope of that data,” the cosmetics giant wrote.
While the statement fails to name the suspected unauthorized party, two ransomware gangs, ALPHV (BlackCat) and Cl0p, took credit.
Cl0p first announced the alleged breach on Tuesday, with BlackCat making similar announcements later that day. As noted by Brett Callow, threat analyst with the cybersecurity firm Emsisoft, Cl0p claimed in a post on the dark web that it was able to pilfer 131GB of data from Estée Lauder.
Meanwhile, BlackCat, which said that its own alleged breach was unrelated, hinted at holding the company’s data for ransom. While such cybercrime gangs traditionally hold victims for ransom by encrypting their files, a newer method of stealing data and threatening to release it has become commonplace.
“Estée Lauder, under the control of a family of billionaire heirs. Oh, what these eyes have seen,” the group wrote. “We will not say much for now, except that we have not encrypted their networks. Draw your own conclusions for now. Maybe their data was worth a lot more.”
While it remains unknown whether any negotiations have taken place between the makeup manufacturer and the two cybercrime groups, Estée Lauder made a filing with the Securities and Exchange Commission (SEC) on Tuesday. Such filings must be made to the SEC in the wake of any major events that could affect shareholders.
Estée Lauder has also stated that it is working with third-party cybersecurity organizations as well as law enforcement to determine the scale and scope of the hacks.
It currently remains unclear what data was taken during the two breaches. Both Cl0p and BlackCat have repeatedly made headlines in recent weeks for a slew of high-profile cyberattacks. While BlackCat has targeted dozens of companies such as Reddit and Amazon’s Ring, Cl0p has been exploiting a recently discovered vulnerability known as MOVEit to target hundreds of companies, governments, and other organizations.