Two ransomware actors, ALPHV/BlackCat and Clop, have listed beauty company Estée Lauder on their data leak sites as a victim of separate attacks.

In a disgruntled message to the company, the BlackCat gang mocked the security measures, saying they were still present on the network.

MOVEit data theft attack

In a Security Exchange Commission (SEC) filing on Tuesday, The Estée Lauder Companies confirmed one of the attacks by saying the threat actor gained access to some of its systems and may have stolen data.

The company didn’t provide too many details about the incident, saying it acted proactively and took down some systems to prevent attackers from growing on the network.

An investigation is underway with the support of “leading third-party cybersecurity experts”. The company also coordinates with law enforcement.

It appears that the Clop ransomware gang gained access to the company after exploiting a vulnerability in MOVEit Transfer platform for secure file transfers.

The threat actor started taking advantage of the vulnerability when it was zero day in late May and claimed to have breached hundreds of businesses for data theft extortion.

On their data leak site, Clop ransomware lists Estée Lauder with the simple message “The company doesn’t care about its customers, it ignored their safety!!!” and a note that they have more than 131 GB of company data.

BlackCat pressures to negotiate

On Tuesday, BlackCat also added Estée Lauder to its list of victims, but the entry came with a message showing the threat actor’s displeasure with the company’s silence on his extortion emails.

Referring to security experts Estée Lauder brought in to investigate, BlackCat said that despite the company’s use of Microsoft and Mandiant’s Detection and Response Team (DART), the network remained compromised and they still had access.

The attacker also said he had not encrypted any of the company’s systems, adding that unless Estée Lauder engages in negotiations, he would reveal more details about the stolen data.

BlackCat hinted that the exfiltrated information could impact customers, company employees and suppliers.

Estée Lauder’s lack of response to BlackCat’s communication indicates that the company will not engage in any negotiations with the threat actor.

In the filing with the SEC, the company advises that the focus is “on remediation, including efforts to restore affected systems and services” and that “the incident has caused, and is expected to continue to cause, disruptions to portions of the company’s business operations.”