Avon Brazil Leaked Sensitive Data Of 600K Customers

Avon Brazil Exposed Over 600,000 Customers’ Personal Information Online and Likely Lost The Data to Ransomware.

Avon Brazil left a database containing 4.3 GB of data publically accessible. The estimated number of exposed customer details was 629,295 and went offline around the same time Ransomware hit unsecure MongoDB databases.

The initial discovery was made in May 2016, since then researchers sent multiple data breach notices to all levels of contacts inside the company that were completely ignored. The database remained open and fully exposed for months with thousands of emails, addresses details, phone numbers, passwords to their internal Avon accounts, identification data, and even partial links to the scanned copies of documents.

In January 2017 nearly every publically accessible MongoDB database had their data wiped out and replaced with a ransom message claiming that owners of the hacked database need to pay 0.2 Bitcoin ( about $200) into a Bitcoin wallet and they would have their data returned. It is unclear if anyone actually got their data back once they made the payment and no company would admit to paying a ransom for obvious reasons. The ransomware deleted data from as many as 33,000 thousand databases according to some estimates.

Kromtech Researchers believe Avon’s Brazil data was most likely compromised in the ransomware attack and this would most likely mean that cyber criminals had access to thousands of credit card numbers, scanned ID cards, IP Addresses and much more. It also is unclear if Avon’s Brazil office notified any of the 629,295 people potentially affected by the data leak or the assumed ransomware attack. Currently, Brazil does not have a single statute establishing data protection framework and has been working on drafting a data protection law since 2010. Having weak security or a misconfigured database is bad enough, but ignoring multiple notices with screenshots and other proof is irresponsible and risking customer data. The breach did not appear to affect Avon’s US customers or any other territory except Brazil.

Avon is a household name in the United States and beyond and is best known by their direct selling approach of beauty products and household goods. It is the fifth-largest beauty company and, with 6.4 million representatives. Avon sells products in over 100 countries, but what happens when customer data of one of these countries is stored improperly?  

Avon is based in the United States, but since 2010 Brazil is the company's largest market.

Information for editors:

The Kromtech (MacKeeper) Security Research Center was established in Dec 2015 with the goal of helping to protect data, identifying data leaks and following responsible disclosure policy. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of our discoveries have been covered in major news and technology media, earning the Kromtech Security Center a reputation as one of the fastest growing cyber data security departments.

For more information get in touch with us at: security@kromtech.com

You may also like

How long does it take for a MongoDB to be compromised Walmart jewelry partner exposed 1.3 million customer details FedEx Customer Records Exposed