Barnes & Noble Suffers Data Breach, Customer Info Exposed

A cybersecurity attack on Barnes & Noble exposed customers' personal information, including transaction history and email addresses. The bookseller sent an email notifying customers of the data breach, which it was aware of since Oct. 10. Barnes & Noble clarified customers' financial information, such as payment card information, was not among the exposed data.

Total Retail's Take: In response to Barnes & Noble's data breach, Chloé Messdaghi, vice president of strategy, Point3 Security, offered the following insights to Total Retail after receiving an email from the retailer notifying her of the incident:

“We don’t know how this occurred, but it's significant and a bit curious that the email notifying customers did Not ask us to change passwords. B&N did notify us shortly after the breach took place, which was good.

"It's possible that the breach might have arisen from phishing — an internal staff member may have clicked a bad link or executable that gave the malware an entry point. Phishing succeeds when organizations are less diligent than they need to be about keeping employees continuously trained to spot and double-check potential phishing emails. Once again, we see that apathy is expensive!

"It’s helpful that B&N informed us that our payment info was encrypted and not exposed, but I wish it had also offered some valuable advice that most consumers probably don’t already know. B&N members should be advised to change their account passwords, and they should also be advised to be extra cautious and, in fact, suspicious moving forward because their billing, shipping, email and phone number can all be used in phishing attacks against them.

"For example, a consumer might get a message saying 'Thank you for your previous order, we have unintentionally overcharged you and would like to issue a refund. Please reconfirm your payment data.' Or a consumer might get a SMS phishing-lure message claiming to be from a bank, falsely confirming a large transfer of funds, with a phony number to call if the fraudulent transfer wasn’t authorized, which it of course wasn’t.

“It’s so much easier to continually upskill cybersecurity professionals and train users to ward against these attacks than it is to clean up after them."