Estée Lauder Database of Over 400 Million Records Discovered Online by a Security Researcher

Kehoe Law Firm, P.C. is making consumers aware that reported that “[s]ome 440 million records in a database belonging to cosmetics maker Estée Lauder Companies Inc. have been found unsecured and exposed online, potentially putting customers at risk.”  According to,

[t]he database was discovered by security researcher Jeremiah Fowler from Security Discovery Jan. 30 and publicized today. It involved 440,336,852 individual pieces of data, including plaintext email addresses, some sent from internal email addresses. It also included references to reports and internal documents as well as IP addresses, ports, pathways and storage information. [Emphasis added.]

Further, reported:

In a statement, Estée Lauder confirmed the data exposure, saying that the database contained ‘a limited number of non-consumer email addresses from an education platform.’  It also claimed it contained no consumer data and it had found no evidence of unauthorized use.

How long the data was accessible online is unknown. Given the depth of the data exposed, the company’s claims that it contained no customer data are not reassuring. There is also a serious concern that the data, as it related to internal systems, could have been used as a secondary path for malware through which further data could be compromised. [Emphasis added.]

Have You Been Impacted by A Data Breach?

If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.