Customers' lists of book purchases along with email addresses and more could have been exposed during a (ransomware?) attack — and that's a problem. Barnes & Noble is warning that it has been hacked, potentially exposing personal data for shoppers – and offering phishers an early holiday gift.
Barnes & Noble is warning that it has been hacked, potentially exposing personal data for shoppers – and offering phishers an early holiday gift.
The book purveyor sent out emailed notices to customers very late Wednesday night and in the wee hours of Thursday morning, warning that a cyberattack happened on October 10, “which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.”
Some indications — such as its Nook e-reader service being taken offline starting last weekend — also point to a possible ransomware attack, though the company hasn’t yet confirmed that. Some store workers told an e-reader blog that their physical registers were having trouble over the weekend, too.
In any event, Barnes & Noble said that its IT team “doesn’t know” yet if customer info was exposed, but the systems that were hit contained personal data, so it may have been. The potential trove includes personally identifiable information tied to the bookseller’s ecommerce activities, including email addresses, billing and shipping addresses, and telephone numbers; as well as transaction and purchase histories.
On the payment-card front, financial data is “encrypted and tokenized and not accessible,” according to the notice. “At no time is there any unencrypted payment information in any Barnes & Noble system.” The notice also didn’t mention names or dates of birth being part of the database.
As far as only the financial data – and not the personal data – being encrypted, Mark Bower, senior vice president at comforte AG, told Threatpost that this approach is all too common.
“We’ve seen a repeating pattern in recent scaled breaches like this case – partial protection of sensitive data perhaps for compliance, but not the full gamut within the scope of customer data privacy and trust responsibility,” he said. “Fundamentally, organizations have an increasing obligation to their customers to secure a lot more than just the minimum. Privacy regulations like California Consumer Privacy Act (CCPA) are transferring increasing data rights to citizens over data management and security, and today, business leaders have to consider personal data as a trusted donation, not just data acquisition.”
The decision not to encrypt personal data could be a problem for the company, according to Erich Kron, security awareness advocate at KnowBe4.
“For the organization itself, this is liable to be a costly issue as many data breaches are,” he told Threatpost. “Because the organization sells to such a wide variety of geographically dispersed customers, there is a potential for significant fines being levied by various entities for a failure to protect the consumer’s information.”
A cloud misconfiguration at the gaming-gear merchant potentially exposed 100,000 customers to phishing and fraud.
A pair of recent campaigns aim to lift credentials and other personal information under the guise of Amazon package-delivery notices.
Account takeover (ATO) attacks are on the rise, and in fact have become a go-to attack of choice cybercriminals of all stripes. In fact, in 2019 alone, ATO attacks cost consumers and e-commerce retailers a whopping $16.9 billion in losses.
Data Loss Prevention is a set of tools and practices geared towards protecting your data from loss and leak. Even though the name has only the loss part, in actuality, it's as much about the leak protection as it is about the loss protection. Basically, DLP, as a notion, encompasses all the security practices around protecting your company data.
We all use email on a regular basis, but we aren’t always cognizant of the email security standards we use. If a hacker gains access to your account, or manages to fool you into downloading an attachment with malware via email, it could have devastating consequences for your business.