In a data breach notification letter submitted to the Office of the Attorney General for the state of California, a makeup product vendor said it could not fully assess the impact of a recent card security breach due to a lack of backups.
The data breach notification letter, which you can read a copy here, is authored by Rea.deeming Beauty, Inc., a company doing business as "beautyblender" and which manufactures and sells a cosmetic sponge applicator.
Online store was infected with malware
The company says it recently suffered a security breach when it discovered malware on its online shop that was collecting payment details via the checkout forms.
Beautyblender started investigating the incident after two customers complained about fraudulent transactions on credit cards used on the site.
Beautyblender's web hosting provider discovered the malware on the vendor's site in October 2017, and a separate third-party forensic investigator confirmed the web hosting provider's findings in late November 2017.
"The forensic investigator then began efforts to determine when the malware was placed on the website," Beautyblender says. "Unfortunately, due to the lack of backups of the website that were available from the website hosting company, beautyblender has been unable to confirm the date that the malware was placed on the website."
No recent backups means company is now notifying all customers
The last available backup dated back three years to April 23, 2015. The forensic investigator was able to determine the malware was on Beautyblender's site on July 28, 2017, through other means, but not earlier.
Beautyblender is now notifying all customers who purchased products through the site and also providing instructions and steps on how customers could stay vigilant against incidents of fraud and identity theft.
A Beautyblender spokesperson did not respond to requests for comment from Bleeping Computer in time for this article's publication.