Avon recovering after mysterious cyber-security incident

Parts of the Avon It network has been down since last week, according to SEC documents.

Avon

Image: kinkate, Avon

Executive guide

Ransomware: One of the biggest menaces on the web

Everything you need to know about ransomware: how it started, why it's booming, how to protect against it, and what to do if your PC's infected.

Read More

Cosmetics giant Avon is recovering from a mysterious cyber-security incident that took place last week, on June 8, sources have told ZDNet.

The company has filed documents with the US Securities Exchange Commission disclosing the incident on June 9, a day after the company first discovered issues with some of its IT infrastructure.

The company said the incident "interrupted some systems and partially affected operations."

Last week, Avon distributors reported problems accessing the company's backend, where they usually file new product orders.

Issues with accessing the Avon backend have been reported in the UK, Argentina, Brazil, Poland, and Romania.

Avon, which is owned by Brazilian multinational Natura &Co, has declined to provide details about the incident to both distributors, and the representatives of the press. An Avon spokesperson could not be contacted for comment, despite repeated attempts over the past two days.

Details about the nature of the cyber-attack are still a mystery, but in a second document filed with the SEC on June 12, last Thursday, Avon promised to restore "some of its affected systems in the impacted markets" during this week.

At the time of writing, the Avon Poland and Romania backends have been restored and are working normally.

Ransomware attack?

A source tracking the incident has told ZDNet today that the Avon incident is a ransomware attack carried out by the DopplePaymer gang.

However, ZDNet has not been able to independently confirm this statement beyond a public tweet from Polish cyber-security firm Niebezpiecznik, which also reported receiving indirect information that the Avon downtime had been caused by an intrusion from the DopplePaymer gang.

In its second SEC filing, Avon said it's still investigating the incident to check for signs of user data compromise, but the company was adamant that no financial data was involved, "as its main ecommerce website does not store that information."

The DopplePaymer ransomware gang is one of 13 ransomware gangs that manage a "leak site," where they list recent successful compromises. At the time of writing, the DopplePaymer gang was not listing Avon's name on its website.