It has been reported that Barnes & Noble revealed that that its corporate systems fell victim to a cyber attack and that the hackers may have gotten away with some important information about B&N’s customers, potentially including their addresses. No financial information or payment details were pilfered during the attack. These are, Barnes & Noble explains, always encrypted and tokenized. It doesn’t, however, discount the possibility that this encrypted data was also stolen, which could still fall prey to attempts at decrypting them. The company, however, does admit that at least two pieces of customer information were left exposed. Those include user’s emails and their purchase transactions. The latter could perhaps be used to build a profile of customers while the former could be used for phishing attempts. Whether customers’ email accounts themselves will be compromised will depend on how strong the security of their emails is. Hackers may have also gotten away with billing information, which includes the customer’s shipping address and telephone number if the customer supplied those.
We don’t know how this occurred but it significant and a bit curious that the email notifying customers did Not ask us to change passwords. B&N did notify us shortly after the breach took place, which was good.
It is possible that the breach might have arisen from phishing – an internal staff member may have clicked a bad link or executable that gave the malware an entry point. Phishing succeeds when organizations are less diligent than they need to be about keeping employees continuously trained to spot and double-check potential phishing emails. Once again, we see that apathy is expensive!
It’s helpful that B&N informed us that our payment info was encrypted and not exposed, but I wish they’d also offered some valuable advice that most consumers probably don’t already know.
B&N members should be advised to change their account passwords, and they should also be advised to be extra cautious and in fact suspicious moving forward because their billing, shipping, email, and phone number can all be used in phishing attacks against them.
For example, a consumer might get a message saying “Thank you for your previous order, we have unintentionally overcharged you and would like to issue a refund. Please reconfirm your payment data. Or a consumer might get an SMS phishing-lure message claiming to be from a bank, falsely confirming a large transfer of funds, with a phone number to call if the fraudulent transfer wasn’t authorized, which is of course wasn’t.
It’s so much easier to continually upskill cybersecurity professionals and train users to ward against these attacks than it is to clean up after them.
The indication that this breach may have been the result of ransomware should come as no surprise as these malicious attacks are becoming harder to spot and increasing in frequency. As a result, an untold number of Nook customers whose email addresses may have been exposed are now at further risk of being targeted by sophisticated phishing campaigns. Notably, this news comes after it was revealed that the U.S. government took direct action to disrupt a botnet which has generally been used in ransomware attacks. To help prevent these types of attacks, organizations of all sizes should consider modern cybersecurity solutions that protect user internet connections regardless of location.
We’ve seen a repeating pattern in recent scaled breaches like this case – partial protection of sensitive data perhaps for compliance, but not the full gamut within the scope of customer data privacy and trust responsibility. Fundamentally, organisations have an increasing obligation to their customers to secure a lot more than just the minimum. Privacy regulations like CCPA are transferring increasing data rights to citizens over data management and security, and today, business leaders have to consider personal data as a trusted donation, not just data acquisition. The challenge for CISO’s is balancing data use, security, and data privacy in equal measures. Technologies like tokenisation, particularly those suited to agile and scaled use, help avoid data breaches while preserving analytic utility in data. As such, this technology has to prioritised for investment as a foundation for risk-reduced digital transformation and cloud migration
Barnes and Noble customers should be on the lookout for phishing messages to their phones and email accounts from scammers posing as B&N or a related company. Fraudsters could use the personal details in the exposed database to tailor phishing messages and make them seem more convincing. Never click on links in unsolicited emails and messages.
It can be difficult to monitor every endpoint and identify every CVE, but it’s necessary in order to properly secure both corporate and customer data. Attackers are constantly looking to take advantage of any weak point in your security posture just to gain entry to IT infrastructure. Once they get their foot in the door, they can move laterally until they find valuable data that they can exfiltrate and profit from. This highlights the importance of having visibility into the security posture of every part of your infrastructure – from VPN servers to mobile devices with access to the corporate data.
VPN was the first thing many organisations turned to for securing remote workers at the start of the pandemic, and for good reason. However, those that haven’t advanced their remote security strategy past that are exposing themselves to risk. VPN connections themselves are secure, but the real risk lies in the devices that use them. Computers, smartphones, and tablets all have the same level of access to corporate infrastructure in order to keep productivity high from anywhere. If a device using the organization’s VPN is infected with malware, they could mistakenly introduce that malware into the infrastructure. In order to make sure your infrastructure is as secure now as it was when everyone was working in the office, you need to secure computers and mobile devices with the same level of priority.