UPDATE
Barnes & Noble is warning that it has been hacked, potentially exposing personal data for shoppers – and offering phishers an early holiday gift.
The book purveyor sent out emailed notices to customers very late Wednesday night and in the wee hours of Thursday morning, warning that a cyberattack happened on October 10, “which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.”
Some indications — such as its Nook e-reader service being taken offline starting last weekend — also point to a possible ransomware attack, though the company hasn’t yet confirmed that. Some store workers told an e-reader blog that their physical registers were having trouble over the weekend, too.
In any event, Barnes & Noble said that its IT team “doesn’t know” yet if customer info was exposed, but the systems that were hit contained personal data, so it may have been. The potential trove includes personally identifiable information tied to the bookseller’s ecommerce activities, including email addresses, billing and shipping addresses, and telephone numbers; as well as transaction and purchase histories.
On the payment-card front, financial data is “encrypted and tokenized and not accessible,” according to the notice. “At no time is there any unencrypted payment information in any Barnes & Noble system.” The notice also didn’t mention names or dates of birth being part of the database.
As far as only the financial data – and not the personal data – being encrypted, Mark Bower, senior vice president at comforte AG, told Threatpost that this approach is all too common.
The B&N data-breach email notice.
“We’ve seen a repeating pattern in recent scaled breaches like this case – partial protection of sensitive data perhaps for compliance, but not the full gamut within the scope of customer data privacy and trust responsibility,” he said. “Fundamentally, organizations have an increasing obligation to their customers to secure a lot more than just the minimum. Privacy regulations like California Consumer Privacy Act (CCPA) are transferring increasing data rights to citizens over data management and security, and today, business leaders have to consider personal data as a trusted donation, not just data acquisition.”
The decision not to encrypt personal data could be a problem for the company, according to Erich Kron, security awareness advocate at KnowBe4.
“For the organization itself, this is liable to be a costly issue as many data breaches are,” he told Threatpost. “Because the organization sells to such a wide variety of geographically dispersed customers, there is a potential for significant fines being levied by various entities for a failure to protect the consumer’s information.”
Early Holiday for Scammers
Meanwhile, many took to Twitter to express frustration with the late-night email notices, and to express consternation over what in the database could be of use to hackers.
https://twitter.com/SpiritbearNY/status/1316704190010396673
But even without credit-card or full identity fraud in the offing, the data is all that’s needed for crooks and phishers to mount convincing, personalized email campaigns bent on harvesting credentials or financial data.
According to the notice:
“It is possible that your email address was exposed and, as a result, you may receive unsolicited emails.
While we do not know if any personal information was exposed as a result of the attack, we do retain in the impacted systems your billing and shipping addresses, your email address and your telephone number if you have supplied these.
We also retain your transaction history, meaning purchase information related to the books and other products that you have bought from us.”
Other details are scant for now, but Threatpost has asked the retail giant for additional information.
The company did offer condolences in what’s become a boilerplate response to data breaches: “We take the security of our IT systems extremely seriously and regret sincerely that this incident has occurred,” according to the notice. “We know also that it is concerning and inconvenient to receive notices such as this. We greatly appreciate your understanding and thank you for being a Barnes & Noble customer.”
Kacey Clark, threat researcher at Digital Shadows, noted that lax basic security could be a likely culprit behind the cyberattack.
“It’s possible that attackers accessed Barnes & Noble systems by exploiting unpatched Pulse Secure VPN servers,” she told Threatpost. “Many successful attacks that leverage this vulnerability, notably including those conducted by the REvil (a.k.a. Sodinokibi) ransomware, enable attackers, without valid credentials, to perform remote code execution and access the victim network.”
She added, “It’s imperative to underline the importance of patching out-of-date systems, encrypting payment data, securing customer details and enabling multi-factor authentication (MFA) where it’s available. You might not be able to stop every attacker, but if you make the time investment of more than a few keystrokes, they may decide to move on.”
On the plus side, the company was proactive in notifying consumers, Kron said.
“The organization did well in notifying potential victims very quickly,” he told Threatpost. “Often times, we see where breaches have occurred months prior to the victims being notified. The notification does not contain a lot of details, as many of them are still probably being determined as the investigation continues. However, it does provide a reasonable amount of information for the victims. It seems likely that if additional information is discovered, the victims will be notified.”
This story has been updated on Oct. 15 with researcher reactions.
