Customers' Cybersecurity Under Threat After Avon Reports a 'Cyber Incident'
In the aftermath of a cyberattack, the targeted company needs to quickly disclose as many details as possible. It needs to explain what sort of attack it's been through, who might be affected, and what the consequences for individual users could be. For reasons that remain unclear for now, international cosmetics retailer Avon appears to be struggling with this.
On June 9, the company published an 8-K form with the US Securities and Exchange Commission (SEC), which explained that Avon had suffered what the filing called "a cyber incident in its Information Technology environment." The retailer said that some of its operations were affected but was adamant that it was still not entirely sure how big the attack had been. Three days later, Avon filed another 8-K filing with an update on the "cyber incident." According to it, the company was restarting some of the attacked systems and was still in the process of determining what had happened exactly. For the first time, it mentioned that some personal data might have been compromised, though it was quick to point out that people's credit card details are unlikely to be affected.
This just about sums up the official information that has come out of the company, and you have to agree that it leaves quite a few open questions. People have been trying to answer them.
Customers and security researchers are wondering what's going on
One thing that is certain is that the attack was pretty serious. Even now, more than a week after the first 8-K filing, the websites of a number of Avon's branches all around the world are down. In some cases, users see a message telling them that the website is being overhauled while others simply say that it's not available at the moment.
The exact nature of the attack was not disclosed in the SEC filings, which has led to a lot of speculation. In January, for example, a Brazilian company by the name of Natura & Co. bought a majority stake in Avon. In May, about 250 thousand of Natura's customers were affected by a major data leak, and predictably, people are now wondering whether the two incidents might be connected. Meanwhile, the operators of a major ransomware family have claimed responsibility for the attack.
DoppelPaymer: We attacked Avon
The DoppelPaymer ransomware has been around for a while now, and it has been involved in quite a few major attacks against large organizations and businesses. Last year, it, along with a few other major ransomware threats, added a sinister twist to their operations.
Usually, the ransomware attack's only goal is to encrypt the victim's files and blackmail them for a ransom. In 2019, however, the operators behind DoppelPaymer, Maze, and a couple of other ransomware strains started stealing data before scrambling it. That way, when the targeted company refuses to pay for a decryptor, the crooks can threaten to leak the pilfered information to the whole world. If the stolen data is sensitive, and the victim is still not willing to pay up, the crooks can also sell it on the dark web.
DoppelPaymer's operators set up a special website where they first publish the names of their victims and then leak sensitive data if they refuse to give in to the extortion. The aptly named Doppel Leaks has been operating since February, and according to a Polish penetration testing company called Niebezpiecznik, Avon's name recently appeared on it. But does that really mean that Avon was hit by DoppelPaymer?
The evidence certainly points to a ransomware attack. The fact that some of the systems went offline and are still not restored suggests that the data in them might be scrambled. As you can see, however, this is not just about encrypted data. Sensitive information that belongs to Avon, its employees, and its customers could be leaked at any time, and people should be on the lookout for any potential attacks that could result from this.
As Sophos' Paul Ducklin said, even Avon might not be completely aware of what happened exactly at this point, but it must work to find out as quickly as possible and report the facts to the public. That's the only way people can know what sort of risk they're faced with.