Image: kinkate, Avon
Cosmetics giant Avon is recovering from a mysterious cyber-security incident that took place last week, on June 8, sources have told ZDNet.
The company has filed documents with the US Securities Exchange Commission disclosing the incident on June 9, a day after the company first discovered issues with some of its IT infrastructure.
The company said the incident “interrupted some systems and partially affected operations.”
Last week, Avon distributors reported problems accessing the company’s backend, where they usually file new product orders.
Issues with accessing the Avon backend have been reported in the UK, Argentina, Brazil, Poland, and Romania.
Avon, which is owned by Brazilian multinational Natura &Co, has declined to provide details about the incident to both distributors, and the representatives of the press. An Avon spokesperson could not be contacted for comment, despite repeated attempts over the past two days.
Details about the nature of the cyber-attack are still a mystery, but in a second document filed with the SEC on June 12, last Thursday, Avon promised to restore “some of its affected systems in the impacted markets” during this week.
At the time of writing, the Avon Poland and Romania backends have been restored and are working normally.
Ransomware attack?
A source tracking the incident has told ZDNet today that the Avon incident is a ransomware attack carried out by the DopplePaymer gang.
However, ZDNet has not been able to independently confirm this statement beyond a public tweet from Polish cyber-security firm Niebezpiecznik, which also reported receiving indirect information that the Avon downtime had been caused by an intrusion from the DopplePaymer gang.
Nowe informacje:
Potwierdziliśmy (nieoficjalnie, bo oficjalnie wciąż brak kontaktu) że to jest niestety ransomware (DoppelPaymer)
Dobra wiadomość jest taka, że na stronie przestępców nie ma (jeszcze?) paczki z wykradzionymi firmie AVON danymi. Co to oznacza? O tym w artykule: https://t.co/K51iYiGktB
— Niebezpiecznik (@niebezpiecznik) June 16, 2020
In its second SEC filing, Avon said it’s still investigating the incident to check for signs of user data compromise, but the company was adamant that no financial data was involved, “as its main ecommerce website does not store that information.”
The DopplePaymer ransomware gang is one of 13 ransomware gangs that manage a “leak site,” where they list recent successful compromises. At the time of writing, the DopplePaymer gang was not listing Avon’s name on its website.