It was reported that Nordstrom suffered a breach at the hands of a careless employee, exposing highly sensitive information of 76,000 former and current employees. The exposed information includes employee names, Social Security numbers, dates of birth, checking account and routing numbers, salaries and more. IT security experts commented below.
Mark Weiner, CMO at Balbix:
“The problem with most enterprises today is that they do not have adequate visibility into all vulnerabilities in their networks and infrastructure, and therefore can’t take proper actions to prevent breaches and protect against misconfigurations, malicious or careless insider threats, malware, hacking, etc. that can all lead to data leaks. Organizations must clearly understand what their most important and sensitive data sets are, such as personal information of employees and customers, and prioritize the security of this data.
Nordstrom’s breach indicates a lack of employee training for proper data handling and possibly a lack of proper privilege management and safeguards that can help ensure critical data remains secure. Incidents such as these cause employees to lose trust in their employer and can also signal to consumers that the company is not the best steward of sensitive information.”
Javvad Malik, Security Advocate at AlienVault:
“Details are not available as yet beyond the fact that a contractor improperly handled the data. The insider threat isn’t just restricted to malicious acts, but also covers accidental misuse of data. Therefore, it is important that companies provide appropriate training to staff that handle sensitive information, have in place segregation and protective controls, as well as having monitoring controls that can spot anomalous activity and raise alarms so that any irregularities can be investigated promptly.”
Ryan Wilk, VP at NuData Security:
“No one company is immune to cyberattacks, but how a company responds will make all the difference in restoring trust with customers and employees and proving that they have taken all possible actions to inform and mitigate the damage during an event. That is why Nordstrom’s response time to this data breach incident is laudable as well as their attempts at transparency. Online companies should do more to devalue personal information or PCI Data so if a breach does occur the data obtained by cyber attackers is less valuable. Additionally, ensuring Merchants and FIs are using technologies like passive biometrics and behavioral analytics to detect and devalue the data when bad actors use it to commit Account Takeover at Login or attempting to create New Accounts such as Credit Cards and Loads, it will dissuade bad actors from attempting to steal the data in the first place.”
Mayur Upadhyaya, Managing Director, EMEA at Janrain:
“In recent industry research, Janrain found that nearly half of the respondents will try to only buy from brands they believe will protect their data. Janrain surveyed over 1,000 U.S. consumers and found 48% will try to only buy from companies they believe will protect their personal data, though they don’t fully trust all of the brands they conduct business with. Any retailer suffering from a data breach just before Cyber Monday, might find their brand tarnished and consumer behaviour changed.”
Tim Erlin, VP at Tripwire:
“While we tend to see more headlines about customer data, compromises of employee data are also significant, especially to large employers who have thousands of employees.
Think about the personal data that your employer has about you. There’s enough data in there to carry out a variety of criminal activities, including identity theft and insurance fraud.
Risk assessments and threat modelling need to account for all the sensitive data within the organization, including employee data.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.