Dutch cosmetic powerhouse Rituals confirms breach and stolen data from 'My Rituals' membership database

In a security notice published on its website, Rituals said it identified an unauthorized download of a part of its’ members’ data. The attack, which took place in April this year, was stopped as soon as the company noticed it, it said, without giving a more precise timeline of events.

Before the crooks were ousted, they managed to steal people’s full names, email addresses, phone numbers, dates of birth, genders, and postal addresses.

No attribution

While passwords and payment information was not accessed, this type of information is more than enough to launch highly convincing phishing emails, which can lead to ransomware attacks, fraudulent wire transfers, identity theft, and other forms of more serious cybercrime.

“We have initiated an in-depth forensic investigation to understand how this happened and what measures we can take to prevent a similar incident in the future,” Rituals said in the notice. “We have also reported it to the relevant authorities.” Customers whose data was accessed have also been notified via email and warned to be on the lookout for incoming communications claiming to come from the company.

The organization did not say who was behind the attack, or if the threat actors tried to extort it in exchange for deleting the files. It says that there is currently no evidence of the data being publicly available.

According to BleepingComputer, the incident affects the company’s "My Rituals" membership database, which has more than 41 million members. The same publication also says that as of today, no threat actors claimed responsibility for the incident.

Rituals counts more than 12,000 employees worldwide and operates more than 1,400 retail boutiques and more than 4,800 luxury perfumeries in 33 countries.

Via BleepingComputer