Barnes & Noble is warning that it has been hacked, potentially exposing personal data for shoppers – and offering phishers an early holiday gift.

The book purveyor sent out emailed notices to customers very late Wednesday night and in the wee hours of Thursday morning, warning that a cyberattack happened on October 10, “which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.”

Some indications — such as its Nook e-reader service being taken offline starting last weekend — also point to a possible ransomware attack, though the company hasn’t yet confirmed that. Some store workers told an e-reader blog that their physical registers were having trouble over the weekend, too.

In any event, Barnes & Noble said that its IT team “doesn’t know” yet if customer info was exposed, but the systems that were hit contained personal data, so it may have been. The potential trove includes personally identifiable information tied to the bookseller’s ecommerce activities, including email addresses, billing and shipping addresses, and telephone numbers; as well as transaction and purchase histories.

On the payment-card front, financial data is “encrypted and tokenized and not accessible,” according to the notice. “At no time is there any unencrypted payment information in any Barnes & Noble system.” The notice also didn’t mention names or dates of birth being part of the database.

As far as only the financial data – and not the personal data – being encrypted, Mark Bower, senior vice president at comforte AG, told Threatpost that this approach is all too common.

“We’ve seen a repeating pattern in recent scaled breaches like this case – partial protection of sensitive data perhaps for compliance, but not the full gamut within the scope of customer data privacy and trust responsibility,” he said. “Fundamentally, organizations have an increasing obligation to their customers to secure a lot more than just the minimum. Privacy regulations like California Consumer Privacy Act (CCPA) are transferring increasing data rights to citizens over data management and security, and today, business leaders have to consider personal data as a trusted donation, not just data acquisition.”

The decision not to encrypt personal data could be a problem for the company, according to Erich Kron, security awareness advocate at KnowBe4.

“For the organization itself, this is liable to be a costly issue as many data breaches are,” he told Threatpost. “Because the organization sells to such a wide variety of geographically dispersed customers, there is a potential for significant fines being levied by various entities for a failure to protect the consumer’s information.”

#breach #hacks #web security #barnes & noble #data breach #email notice #fraud #hack #personal #personal information #phishing #pii #purchase history #reading lists #transaction history