Estée Lauder reaches $1.5 million settlement over 2023 data breaches affecting Canadian customers

Key facts

• Estée Lauder will pay $1.515 million to settle a class-action lawsuit over two data breaches in May and July 2023.
• The breaches potentially compromised personal and financial information of customers across Canada.
• The settlement is proposed and requires approval by the Superior Court of Quebec on June 3.
• Eligible individuals can claim up to $5,000 for documented out-of-pocket losses.
• Those without documentation may receive $150 if affected by one breach, or $300 if affected by both.
• If total approved claims exceed the fund, payments may be reduced proportionally; if below $3 per person, no payments will be issued and funds go to charity.
• Estée Lauder denies all allegations and liability, but agreed to settle to avoid litigation risks and costs.
• The breaches resulted from two separate ransomware attacks by cybercrime groups.

A proposed settlement for Canadian victims

Estée Lauder has agreed to pay $1.515 million to resolve a class-action lawsuit stemming from two data breaches that exposed the personal and financial information of Canadian customers in 2023. The proposed settlement, announced by claims administrator Concilia Services Inc., still requires approval from the Superior Court of Quebec, which is scheduled to hear the case on June 3. Under the terms, the cosmetics giant denies all allegations of wrongdoing and liability. Both parties consented to the settlement to avoid the risks and expenses of continued litigation.

Two ransomware attacks in mid-2023

The breaches occurred on May 31 and July 12, 2023, when cybercrime groups launched separate ransomware attacks that infiltrated Estée Lauder’s systems and stole customer data. The hackers then used the stolen information as leverage for extortion. The incidents potentially compromised the personal and financial details of individuals across Canada, prompting the class-action lawsuit. Customers who were notified by the company following the breaches are also covered by the settlement.

Who is eligible and how much they can claim

Any Canadian customer whose private or financial information was held by Estée Lauder during the breaches, or who received a formal notification from the company, may be eligible for compensation. The settlement provides up to $5,000 for documented out-of-pocket losses directly linked to the incidents, such as fraud expenses or credit monitoring costs. For those without supporting documents, a flat payment of $150 is available if affected by one breach, or $300 if affected by both. The notice warns that if total approved claims exceed the available fund, payments will be reduced proportionally. If the resulting individual payment would be less than $3, no payments will be issued, and the remaining funds will be donated to charity.

Court approval and next steps

The Superior Court of Quebec will decide on June 3 whether to approve the settlement. If approved, the claims process will begin, and eligible individuals will be able to submit their claims. The settlement administrator emphasized that no court has found Estée Lauder liable, and the company maintains its denial of all allegations. The case highlights the growing threat of ransomware attacks targeting major corporations and the legal recourse available to affected consumers. The outcome of the June 3 hearing will determine whether this settlement proceeds as proposed.

Broader implications for data breach litigation

This settlement is one of many recent class actions in Canada addressing corporate data breaches. The structure—a capped fund with tiered payouts—reflects a common compromise between plaintiffs seeking compensation and defendants avoiding admission of liability. The $1.515 million figure, while substantial, represents a fraction of Estée Lauder’s annual revenue, underscoring the cost-benefit calculus behind such agreements. For affected Canadians, the settlement offers a path to reimbursement for losses, though the actual payout per person may be modest if many claims are filed. The case also serves as a reminder for consumers to monitor their accounts and report any suspicious activity following data breaches.

The bottom line

• Estée Lauder will pay $1.515 million to settle a class-action lawsuit over two 2023 data breaches in Canada.
• Eligible customers can claim up to $5,000 with documentation, or $150/$300 without, depending on exposure.
• The settlement is proposed and requires Quebec Superior Court approval on June 3.
• Estée Lauder denies liability but settled to avoid litigation costs.
• If total claims exceed the fund, payments may be reduced; if below $3 per person, no payments will be made and funds go to charity.
• The breaches stemmed from two separate ransomware attacks by cybercrime groups.