What happened
Aura confirmed a data breach after an employee was targeted in a phone-based phishing attack, allowing an unauthorized party to access the employee’s account for about one hour. During that time, the attacker accessed approximately 900,000 records, the majority of which consisted of names and email addresses stored in a marketing system from a company Aura acquired in 2021. The company said the exposed data also included contact information such as home addresses and phone numbers for a smaller subset of customers, including fewer than 20,000 current users and 15,000 former users. Aura stated that no Social Security numbers, passwords, or financial information were compromised and that access was quickly terminated after detection.
Who is affected
Customers and contacts stored in Aura’s marketing systems are affected, particularly the subset of current and former users whose additional contact information may have been accessed.
Why CISOs should care
The incident shows how targeted phishing against employees can lead to large-scale exposure of customer data, even when access is limited in duration and restricted to specific systems.
3 practical actions
- Investigate employee-targeted phishing exposure. Review whether internal accounts can be accessed through social engineering attacks.
- Limit access to marketing and customer data systems. Restrict account privileges to reduce exposure in the event of compromise.
- Monitor for unusual account access activity. Detect short-lived but high-impact intrusions into employee accounts.
For more coverage of major security incidents affecting organizations worldwide, explore our reporting on Data Breaches.