Tarte Cosmetics exposes data of 2 million customers

Tarte Cosmetics exposes data of 2 million customers

There’s yet another story in the endless cycle of companies who have exposed their customers to ID theft and today it’s popular makeup brand Tarte Cosmetics.

In September Tarte came under fire for exposing 1400 customers’ names, addresses, email addresses, shopping history, and partial credit card numbers in an email that linked its recipients to a visible part of the brand’s customer database.

Now the same database appears to have been facing the open internet all along. Data from about 2 million customers from 2008-2017 has been found to be visible on Tarte’s servers. Researchers from Kromtech Security Center confirmed that the customer information was exposed, but they weren’t the first to find the database. Members of the ransomware group “CRU3LTY” had left a warning file in the database, though they hadn’t deleted the information, which is standard for CRU3LTY.

It’s easy to make jokes about this breach in particular because it’s a bit silly. Tarte isn’t the sort of brand you picture when you think of security risks and the data lost isn’t especially serious. Though Tarte customers will want to replace their credit cards and be on the lookout for phishing scams in the next few years this kind of loss pales in comparison to the massive September Equifax breach. Which would be okay, if both breaches weren’t symptoms of the same problem: a lack of focus on security.

We’ve seen the targeting of large financial institutions, medical facilities, military organizations, but it’s important that all online consumers realize that they’re at risk for data breaches and thefts. It doesn’t matter if you’re just buying from a single brand or participating in the ACA healthcare exchange, your data is at risk and you need to hold companies accountable for it so that they get serious about protecting your information.

Where do we go from here?

If you own a business that stores customer data it’s time to get serious. Tarte didn’t take the risk seriously and their customers will suffer as a result. Tarte is a large company that didn’t believe it had to test its security because its customers were low-value targets. But in the current climate all targets are high value.

If your company keeps client records it’s time to take a good, long look at your practices. PMCS can help – give us a call for an assessment of your security protocols and data environment.

In the meantime practice good netiquette, make sure everyone in your office has macros disabled on their email programs, and make sure everyone has their antivirus up to date.

But more than that, take your customers’ privacy seriously. Never store your customers’ data in a way you wouldn’t want your own data stored.