Third-party cock-up triggers Yves Rocher data breach

yves rocher2Cosmetics and beauty giant Yves Rocher – which axed its UK website earlier this year – has been hit by a major data breach triggered by a third-party supplier.
The breach, which it is claimed affects over 2.5 million Canadian customers, has exposed a raft of personally identifiable information, including name, phone number, email address, data of birth and postcode, as well as online transactions.
The issue has been blamed on French retail consulting company Aliznet, whose clients have included IBM, Salesforce, French chain Sephora, and shoe brand Louboutin.
According to vpnMentor, its research team found multiple vulnerabilities in Aliznet’s systems that could possibly be exploited to expose even more data. One serious vulnerability involves an unprotected API interface for a bespoke application that Aliznet appears to have created for Yves Rocher.
The leaked customer records tied each individual to a unique customer ID, which can be used to identify customers listed on Yves Rocher order records that were part of the data breach.
Researchers were able to view records of more than 6 million customer orders in the Aliznet database. For each order, they could see the transaction amount, currency used, delivery date, and the location of the store where the order was placed.
Each order is also linked with a unique customer ID. Using the leaked Yves Rocher customer records, vpnMentor was able to identify the individual who placed each order through their customer ID.
The incident is the second major third-party data breach in a week. Last Tuesday Mastercard fessed up to EU data protection regulators that customer data from its “Priceless Specials” loyalty scheme had been posted online for “a certain period of time” by by a third-party vendor.
Yves Rocher closed its English e-commerce site in March, just days before the first official Brexit date of March 31. While it refused to blame the political situation, it did say that “the economic context does not allow Yves Rocher to continue to trade in the UK.”
However, despite trading in the UK for 25 years, the country is actually only responsible for 0.5% of its 153 million annual page views worldwide.

Related stories
Teletext sweats as two-year data breach is uncovered
Not quite so ‘Priceless’: Data leak affects Mastercard
Twitter admits GDPR breach after exploiting user data
Monzo squirms again after gaffe exposes pin numbers
Top London estate agent flayed for 2-year data breach
Leicester City FC on hiding to nothing over data breach

Print Friendly

To leave a comment please register – it takes less than a minute and is free of charge. You will also get our weekly email update The DM Report (to opt out contact subscriptions@decisionmarketing.co.uk). If you are an existing user, please log in. If you have forgotten your log-in details please email info@decisionmarketing.co.uk to get them reset!

Existing Users Log In
 Remember Me  
New User Registration
*Required field