[BreachExchange] Keeping up with cybersecurity: Kylie Cosmetics discloses data breach

[Destry Winant]

https://siliconangle.com/2020/09/30/keeping-cybersecurity-kylie-cosmetics-discloses-data-breach/

Kylie Cosmetics LLC, the cosmetic company founded by Kylie Jenner of
“Keeping Up with the Kardashians” fame, has disclosed that customer
information was stolen as part of the data breach of Shopify Inc. last
week.

The Shopify data breach involved two “rogue” employees being involved
in a “scheme” to obtain customer transaction records from certain
merchants. The data stolen included contact information as well as
order details such as products and services purchased. Who the
merchants were was never disclosed by Shopify.

In a notice to customers published by TMZ, Kylie Cosmetics said that
it was “working diligently with Shopify to get additional information
about this incident.” The notice states that the incident affected
names, addresses, emails, product orders and the last four digits of
customers. “Shopify has assured us that the customers’ full payment
details… were not compromised in the incident,” the notice added.

Founded in 2015 under the name of Kylie Lip Kits, the company was
valued at $900 million in March 2019 with a 51% stake in the company
acquired by Coty Inc. for $600 million in November.

That a high-profile brand with a valuation of more than $1 billion has
been caught up in a data breach that involved employees at a
third-party supplier once again raises concerns.

“When a business engages with a third party to operate a critical
portion of their business … the business is effectively transferring
risk and obligations to the provider while accepting risk in return,”
Tim Mackey, principal security strategist, Cybersecurity Research
Center at electronic design automation company Synopsys Inc. told
SiliconANGLE.

“In this case, the risk accepted by Kylie Cosmetics and the roughly
200 other impacted Shopify businesses was that Shopify has effective
controls in place to limit employee access to storefront customer
data,” he added. “While there is always a level of risk from an
insider attack, when the insider is an employee within your digital
supply chain, managing that threat can become complicated. This is why
audit and access controls are key to any cybersecurity strategy.”

Lamar Bailey, senior director of security research at cybersecurity
firm Tripwire Inc., noted that insider threats often get little
attention. “Support engineers are often an entry-level job so it is
easier for someone to infiltrate the organization at this level,” he
said.

“A bad actor looking to gain company data can easily use a fake
identity to secure a job and then use this position as a launching
point for gathering data to sell on the black market,” Bailey added.
“It is imperative that organizations have security controls in place
users, access and file monitoring to look for employees accessing
systems, code, or data they do not need access to. A stance of least
privilege for everyone is the best policy.”