Jump to content

Barnes & Noble Hack: A Reading List for Phishers and Crooks

Recommended Posts

Customers’ lists of book purchases along with email addresses and more could have been exposed during a (ransomware?) attack — and that’s a problem.




Barnes & Noble is warning that it has been hacked, potentially exposing personal data for shoppers – and offering phishers an early holiday gift.


The book purveyor sent out emailed notices to customers very late Wednesday night and in the wee hours of Thursday morning, warning that a cyberattack happened on October 10, “which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.”


Some indications — such as its Nook e-reader service being taken offline starting last weekend — also point to a possible ransomware attack, though the company hasn’t yet confirmed that. Some store workers told an e-reader blog that their physical registers were having trouble over the weekend, too.




The B&N data-breach email notice.


In any event, Barnes & Noble said that its IT team “doesn’t know” yet if customer info was exposed, but the systems that were hit contained personal data, so it may have been. The potential trove includes personally identifiable information tied to the bookseller’s ecommerce activities, including email addresses, billing and shipping addresses, and telephone numbers; as well as transaction and purchase histories.


On the payment-card front, financial data is “encrypted and tokenized and not accessible,” according to the notice. “At no time is there any unencrypted payment information in any Barnes & Noble system.” The notice also didn’t mention names or dates of birth being part of the database.


As far as only the financial data – and not the personal data – being encrypted, Mark Bower, senior vice president at comforte AG, told Threatpost that this approach is all too common.

“We’ve seen a repeating pattern in recent scaled breaches like this case – partial protection of  sensitive data perhaps for compliance, but not the full gamut within the scope of customer data privacy and trust responsibility,” he said. “Fundamentally, organizations have an increasing obligation to their customers to secure a lot more than just the minimum. Privacy regulations like California Consumer Privacy Act (CCPA) are transferring increasing data rights to citizens over data management and security, and today, business leaders have to consider personal data as a trusted donation, not just data acquisition.”


Meanwhile, many took to Twitter to express frustration with the late-night email notices, and to express consternation over what in the database could be of use to hackers.


But even without credit-card or full identity fraud in the offing, the data is all that’s needed for crooks and phishers to mount convincing, personalized email campaigns bent on harvesting credentials or financial data.


According to the notice:

“It is possible that your email address was exposed and, as a result, you may receive unsolicited emails.

While we do not know if any personal information was exposed as a result of the attack, we do retain in the impacted systems your billing and shipping addresses, your email address and your telephone number if you have supplied these.

We also retain your transaction history, meaning purchase information related to the books and other products that you have bought from us.”

Other details are scant for now, but Threatpost has asked the retail giant for additional information.


The company did offer condolences in what’s become a boilerplate response to data breaches: “We take the security of our IT systems extremely seriously and regret sincerely that this incident has occurred,” according to the notice. “We know also that it is concerning and inconvenient to receive notices such as this. We greatly appreciate your understanding and thank you for being a Barnes & Noble customer.”


Kacey Clark, threat researcher at Digital Shadows, noted that lax basic security could be a likely culprit behind the cyberattack.


“It’s possible that attackers accessed Barnes & Noble systems by exploiting unpatched Pulse Secure VPN servers,” she told Threatpost. “Many successful attacks that leverage this vulnerability, notably including those conducted by the REvil (a.k.a. Sodinokibi) ransomware, enable attackers, without valid credentials, to perform remote code execution and access the victim network.”


She added, “It’s imperative to underline the importance of patching out-of-date systems, encrypting payment data, securing customer details and enabling multi-factor authentication (MFA) where it’s available. You might not be able to stop every attacker, but if you make the time investment of more than a few keystrokes, they may decide to move on.”




Link to post
Share on other sites
  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

  • steven36


Popular Days

Top Posters In This Topic

Popular Posts

Customers’ lists of book purchases along with email addresses and more could have been exposed during a (ransomware?) attack — and that’s a problem.     Barnes & No

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...