In February 2020, security researcher Jeremiah Fowler discovered a publicly accessible Elasticsearch database belonging to Estée Lauder — one of the world’s largest cosmetics and beauty companies (also owning MAC Cosmetics, Clinique, Bobbi Brown, La Mer, and dozens of other brands). The database contained approximately 440 million records totalling multiple gigabytes of data. The exposed records included internal business documents, email logs, IP addresses, internal production and staging environment information, references to middleware platforms and CMS systems, and other operational data. Many of the records appeared to be from various Estée Lauder business systems. A significant portion appeared to be email addresses — possibly from email marketing systems. Fowler reported the exposure to Estée Lauder, who secured the database promptly after notification. Estée Lauder declined to provide detailed comment on the nature or scope of the data exposed. The company did not file a public breach notification, suggesting no customer personal data (as regulated by GDPR or state laws) was directly exposed, or that the regulatory threshold for notification was not met. The incident highlighted how large multinational consumer goods companies can inadvertently expose large amounts of internal operational data through misconfigured cloud database instances.