U.S.-based bookseller Barnes and Noble confirmed a data breach that affected their e-book Nook services and potentially exposed customer data. Bleeping Computer originally broke this story.
The Barnes and Noble breach began as a series of service disruptions, including customers not being able to access their digital libraries, login failures, and missing purchases. The disruptions extend to some physical Point-of-Sale devices. Further, Barnes and Noble confirmed the disruption was caused by malware; in an email to customers, the bookseller acknowledged a digital intrusion, leading to “unauthorized and unlawful access to certain Barnes & Noble corporate systems.”
Although the company stressed payment information was not exposed in the breach, hackers may have accessed customer email addresses, billing and shipping addresses, telephone numbers, and transaction histories.
Several cybersecurity experts provided comments weighing in on the Barnes and Noble breach. Here’s what they had to say on the subject and identity management.
Identity Management Lessons from the Barnes and Noble Breach
Chloé Messdaghi is VP of Strategy at Point3 Security.
“We don’t know how this occurred but it is significant and a bit curious that the email notifying customers did Not ask us to change passwords. B&N did notify us shortly after the breach took place, which was good.
“It is possible that the breach might have arisen from phishing – an internal staff member may have clicked a bad link or executable that gave the malware an entry point. Phishing succeeds when organizations are less diligent than they need to be about keeping employees continuously trained to spot and double-check potential phishing emails. Once again, we see that apathy is expensive!
“It’s helpful that B&N informed us that our payment info was encrypted and not exposed, but I wish they’d also offered some valuable advice that most consumers probably don’t already know.
“B&N members should be advised to change their account passwords, and they should also be advised to be extra cautious and in fact suspicious moving forward because their billing, shipping, email, and phone number can all be used in phishing attacks against them.
“For example, a consumer might get a message saying “Thank you for your previous order, we have unintentionally overcharged you and would like to issue a refund. Please reconfirm your payment data. Or a consumer might get an SMS phishing-lure message claiming to be from a bank, falsely confirming a large transfer of funds, with a phony number to call if the fraudulent transfer wasn’t authorized, which it, of course, wasn’t.”
“It’s so much easier to continually upskill cybersecurity professionals and train users to ward against these attacks than it is to clean up after them.”
Robert Prigge is CEO of Jumio.
“The cyber-attack on Barnes & Noble exposing customer transaction history, email addresses, home addresses, and phone numbers puts more than customer accounts at risk. This compromised data will likely find a home on the dark web, where it will be bought and sold for profit and combined with other available information to create a ‘fullz,’ giving fraudsters everything they need to commit automated account takeover fraud. The retail industry is a prime target for seasonal fraud, and we can expect this to be much higher this holiday season as consumers shift to online shopping amid the pandemic.”
“Criminals will attempt to weaponize the overwhelming amount of exposed data on the dark web to take over the retail accounts of legitimate consumers or use stolen identity data to commit account registration fraud against online retailers. This highlights the pressing need for retailers – and any company with a digital presence – to adopt biometric authentication solutions to protect their users and online ecosystems from digital identity fraud by verifying a user’s digital identity.”
Ben Goodman is CISSP and SVP of Global Business and Corporate Development at ForgeRock.
“With online shopping surpassing traditional brick-and-mortar in popularity right now, corporations must be extra cautious with their customers’ personal information as we have seen a drastic surge in cyberattacks this year. Prior to the pandemic, in Q1 2020 alone, the retail sector had over 400 million records breached – the second-highest number of records impacted behind the healthcare industry. As these numbers only increase, it is up to retailers to minimize security risks that could not only harm their customers but could also result in financial and reputational damages. As such, organizations can deploy customer identity and access management (CIAM) tools that will not only detect unusual behavior, but also ensure intelligent, contextual, and continuous security.”
Thanks to our experts for their time and expertise. You can learn more about securing your enterprise in our Identity Management Buyer’s Guide.
Latest posts by Ben Canner (see all)
- Identity Management Lessons from the Barnes and Noble Breach - October 15, 2020
- Findings: The Forrester Wave: Customer Identity And Access Management, Q4 2020 - October 12, 2020
- Credential Stuffing Attacks on the Rise. What Can You Do? - October 8, 2020