What is it with these guys? It must be maddening for security defenders to say the same thing over and over again only to realize but a few are listening. Or maybe it’s just the opposite, knowing with certainty that their work is plentiful.
In yet another cautionary tale, Tarte Cosmetics, a New York City-based maker of beauty products sold by high-end retailers, left bare the personal records of nearly two million online customers after misconfiguring two of its open source MongoDB databases to allow for public access. Researchers from MacKeeper’s Kromtech Security Center discovered the operator error.
“On October 18th Kromtech security researchers discovered Mongo database that was connected to Tarte Cosmetics and contained data for almost 2 million US and international customers (exact number of records is 1,891,928) who shopped via their online store between 2008-2017,” wrote Bob Diachenko, Kromtech's chief communication officer, in a blog post.
This is what caused the data breach: Tarte admins made a security setting public instead of private, exposing the names, addresses, emails, buying histories and the last four digits of the credit card numbers for people who purchased online from Tarte from 2008-2017.
Unfortunately for Tarte customers, that’s not the end of the story. The ransomware group CRU3LTY apparently accessed the personal data, leaving their calling card in which they demanded .2 bitcoins for recovering the database once the information had been deleted or encrypted. The ransom crooks are known for seizing unsecured databases.
There’s no minimizing the risk to Tarte’s customers, Diachenko said. “With all of the other data leaks online it is possible that criminals could even cross reference this data against other breaches and get the customer’s full card number or more information,” he wrote.
Kromtech suggested Tarte was in no hurry to secure the 8.7 GB databases, waiting two days after the researchers contacted them to fix the problem.
“Companies who collect and store payment data will continue to have a very high exposure to cyberattacks and related security risks,” Diachenko said. “This discovery shows once again that many companies are still not putting enough enough focus on how they manage security risks.”
This incident comes on the heels of another alleged Tarte security breach last month when the company leaked 1,400 email addresses to their customers. Tarte denied their systems were hacked and blamed an issue with their automated email service.