Experts Insight On Barnes & Noble Hack

It has been reported that Barnes & Noble revealed that that its corporate systems fell victim to a cyber attack and that the hackers may have gotten away with some important information about B&N’s customers, potentially including their addresses. No financial information or payment details were pilfered during the attack. These are, Barnes & Noble explains, always encrypted and tokenized. It doesn’t, however, discount the possibility that this encrypted data was also stolen, which could still fall prey to attempts at decrypting them. The company, however, does admit that at least two pieces of customer information were left exposed. Those include user’s emails and their purchase transactions. The latter could perhaps be used to build a profile of customers while the former could be used for phishing attempts. Whether customers’ email accounts themselves will be compromised will depend on how strong the security of their emails is. Hackers may have also gotten away with billing information, which includes the customer’s shipping address and telephone number if the customer supplied those.

Notify of
9 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Boris Cipot
Boris Cipot , Senior Sales Engineer
InfoSec Expert
October 15, 2020 7:03 pm

Even if payment data was not exposed, I would recommend that customers keep their guard up. Transaction data and email addresses are still valuable information for scammers and cyber criminals. Such data can be leveraged in identity theft and phishing attempts. In this case, where cybercriminals have access to additional data, better and more believable phishing emails can be crafted to scam individuals to give up the data they truly desire. Therefore, it is critical that individuals are on the lookout for any suspicious emails requesting data. No company will ask you for your personal information such as your social security number, credit card information, or the like, through an email. If they call you to request this data, it is best to say that you will call back and do not continue discussions unless authentication of the caller is verified. There are many scams being conducted with identity theft. In Germany, for example, we had cases where scammers used stolen identities to buy phones and tablets, picking them up with fake IDs. So, be on guard and do not fall victim to scams.

Last edited 1 year ago by Boris Cipot
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
October 15, 2020 7:16 pm

When companies suffer a data breach, they can often make customers more confused due to the way they communicate the message. Businesses tend to say that they value their customer’s privacy, but we are still experiencing breaches of personally identifiable information, which can have damaging consequences. Threat actors can do a lot with a list of personal data – so companies must act quickly to better protect this information and treat it with the same respect as their own intellectual data.

When you need to enter your details into websites, think twice about what information is really needed and use a secondary, throw-away email address wherever possible.

Last edited 1 year ago by Jake Moore
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
October 15, 2020 7:30 pm

The Barnes & Noble breach is yet another reminder of how it\’s become almost a reflex now for retailers telling customers that they regret to inform them that, due to a breach, their personal data may have been compromised. Consumers should be working under the assumption that their personal information has been compromised many times over. As an industry, until we can start making cyber crime unprofitable for adversaries, they will continue to hold the cards that will yield potentially massive pay-outs. For the retailers, having customer data is a privilege, not a right. The time to beef up security is long past. Explanations for breaches of this sort in the retail industry demand a little more than a standard letter and business as usual.

Last edited 1 year ago by Sam Curry
Chris Hauk
Chris Hauk , Consumer Privacy Champion
InfoSec Expert
October 16, 2020 1:27 pm

This data breach could provide a somewhat fresh approach for the bad actors of the world, allowing them to use a victim\\\’s previous Barnes & Noble purchases against them. Customers could see emails that look like the familiar \\\”Because you read…\\\’\\\’ newsletters that booksellers send out, but that contain malicious links and attachments instead of exciting new reading opportunities.

Phishing phone calls could also be a possibility since phone numbers were exposed. \”This is Suzy down at Barnes & Noble, the new Jack Reacher thriller is in, and if you want to give me your credit card info, I\’ll be glad to ship it right over to you.\”

Last edited 1 year ago by Chris Hauk
Hank Schless
Hank Schless , Senior Manager, Security Solutions
InfoSec Expert
October 16, 2020 1:47 pm

It can be difficult to monitor every endpoint and identify every CVE, but it’s necessary in order to properly secure both corporate and customer data. Attackers are constantly looking to take advantage of any weak point in your security posture just to gain entry to IT infrastructure. Once they get their foot in the door, they can move laterally until they find valuable data that they can exfiltrate and profit from. This highlights the importance of having visibility into the security posture of every part of your infrastructure – from VPN servers to mobile devices with access to the corporate data.

VPN was the first thing many organisations turned to for securing remote workers at the start of the pandemic, and for good reason. However, those that haven’t advanced their remote security strategy past that are exposing themselves to risk. VPN connections themselves are secure, but the real risk lies in the devices that use them. Computers, smartphones, and tablets all have the same level of access to corporate infrastructure in order to keep productivity high from anywhere. If a device using the organization’s VPN is infected with malware, they could mistakenly introduce that malware into the infrastructure. In order to make sure your infrastructure is as secure now as it was when everyone was working in the office, you need to secure computers and mobile devices with the same level of priority.

Last edited 1 year ago by Hank Schless
Paul Bischoff
Paul Bischoff , Privacy Advocate
InfoSec Expert
October 16, 2020 2:35 pm

Barnes and Noble customers should be on the lookout for phishing messages to their phones and email accounts from scammers posing as B&N or a related company. Fraudsters could use the personal details in the exposed database to tailor phishing messages and make them seem more convincing. Never click on links in unsolicited emails and messages.

Last edited 1 year ago by Paul Bischoff
Mark Bower
Mark Bower , Senior Vice President
InfoSec Expert
October 16, 2020 2:38 pm

We’ve seen a repeating pattern in recent scaled breaches like this case – partial protection of sensitive data perhaps for compliance, but not the full gamut within the scope of customer data privacy and trust responsibility. Fundamentally, organisations have an increasing obligation to their customers to secure a lot more than just the minimum. Privacy regulations like CCPA are transferring increasing data rights to citizens over data management and security, and today, business leaders have to consider personal data as a trusted donation, not just data acquisition. The challenge for CISO’s is balancing data use, security, and data privacy in equal measures. Technologies like tokenisation, particularly those suited to agile and scaled use, help avoid data breaches while preserving analytic utility in data. As such, this technology has to prioritised for investment as a foundation for risk-reduced digital transformation and cloud migration

Last edited 1 year ago by Mark Bower
Paul Martini
Paul Martini , CEO
InfoSec Expert
October 16, 2020 2:45 pm

The indication that this breach may have been the result of ransomware should come as no surprise as these malicious attacks are becoming harder to spot and increasing in frequency. As a result, an untold number of Nook customers whose email addresses may have been exposed are now at further risk of being targeted by sophisticated phishing campaigns. Notably, this news comes after it was revealed that the U.S. government took direct action to disrupt a botnet which has generally been used in ransomware attacks. To help prevent these types of attacks, organizations of all sizes should consider modern cybersecurity solutions that protect user internet connections regardless of location.

Last edited 1 year ago by Paul Martini
Chloé Messdaghi
Chloé Messdaghi , VP of Strategy
InfoSec Expert
October 16, 2020 3:03 pm

We don’t know how this occurred but it significant and a bit curious that the email notifying customers did Not ask us to change passwords. B&N did notify us shortly after the breach took place, which was good.

It is possible that the breach might have arisen from phishing – an internal staff member may have clicked a bad link or executable that gave the malware an entry point. Phishing succeeds when organizations are less diligent than they need to be about keeping employees continuously trained to spot and double-check potential phishing emails. Once again, we see that apathy is expensive!

It’s helpful that B&N informed us that our payment info was encrypted and not exposed, but I wish they’d also offered some valuable advice that most consumers probably don’t already know.

B&N members should be advised to change their account passwords, and they should also be advised to be extra cautious and in fact suspicious moving forward because their billing, shipping, email, and phone number can all be used in phishing attacks against them.

For example, a consumer might get a message saying “Thank you for your previous order, we have unintentionally overcharged you and would like to issue a refund. Please reconfirm your payment data. Or a consumer might get an SMS phishing-lure message claiming to be from a bank, falsely confirming a large transfer of funds, with a phone number to call if the fraudulent transfer wasn’t authorized, which is of course wasn’t.

It’s so much easier to continually upskill cybersecurity professionals and train users to ward against these attacks than it is to clean up after them.

Last edited 1 year ago by Chloé Messdaghi
Information Security Buzz
Would love your thoughts, please comment.x