A data breach impacting Bed Bath & Beyond online customer accounts offers up lessons and reminders for retailers and consumers, according to cybersecurity experts, just in time for the busiest retail shopping season of the year.
The retailer announced Tuesday in an SEC filing that email and password data were accessed by a third-party with less than 1% of customer accounts compromised. No payment cards were impacted, according to the retailer.
The news comes just one month after the retailer announced it has named former Target vice president and chief merchandising officer Mark Tritton as its new CEO. Tritton will take the reins from interim CEO Mary A. Winston on Nov. 4.
Lessons for everyone
In the SEC filing, the retailer stated it has sent notifications to certain customers as required by law, has hired a security forensics team and is implementing remedial measures.
While the retailer investigates, security experts say it's prime time for all retailers to take stock of data security online and at the physical POS, as well as assess measures in place and, most importantly, shore up employee education and knowledge about potential security issues.
While there is limited public knowledge regarding the breach it may well be the result of an employee re-using company credentials that were compromised, according to Javvad Malik, a security awareness advocate at KnowBe4.
"It should serve as a reminder to all companies that employee training is important, so that they do not put the company at risk through actions outside of work," he told Retail Customer Experience in an email.
He said technical controls such as two-factor authentication and monitoring controls could have detected and prevented the attack.
"Customer data is valuable all the same, regardless of the source. This data is not just restricted to financial data, but personal data is also equally valuable to criminals, and in some cases, even more so," Malik said.
The possible employee credential access scenario is a possibility identified by security training and awareness firm, Lucy Security, which said its analysts have found a recent potential exposure of an employee's credentials in June. It was a person within the HR division with a supposed credential associated with a purported company email address, according to Lucy Security CEO Colin Bastable.
"The most likely point of entry is through a third-party supplier of services to the company, and the odds are over 90% in favor of the attack being initiated by a phishing email, perhaps a spoof email, one that appears to be from someone else," he told Retail Customer Experience in an email.
The lesson for employees, he said, "Don't use work email addresses on third-party websites and learn to spot phishing and spear-phishing emails."
To make that happen security experts advise retailers to enhance and expand security training regarding email use.
"For affected BB&B customers the risk is significant," said Bastable. "The bad guys don't need a password to phish you, just a valid email. How do they know that the next marketing email is really from Bed Bath and Beyond? Phishing attacks can keep coming over the next several years."
The Bed Bath & Beyond data-hacking should also serve as a reminder to consumers busy shopping in the next few months to be aware of potential security threats, added Bastable.
"The message to all consumers is you may trust your favorite online store's security, but you don't know who they allow to have access to your data. Don't recycle passwords with online shopping sites."
In early October, CEO Winston — speaking of the retailer's second quarter earnings — said the company is "making good progress" on driving top-line growth, resetting its cost structure, optimizing its asset base and refining organization structure. Net sales for quarter were $2.7 billion, a decrease of approximately 7.3% compared to the prior year period and comparable sales dipped approximately 6.7%.
As of Aug. 31, the company operated 1,534 stores, including 993 Bed Bath & Beyond stores in all 50 states.