Breach Notification , Business Continuity Management / Disaster Recovery , Governance & Risk Management

Barnes & Noble Investigates Hacking Incident

System Housing Customer Data Accessed; Company Takes Down Nook E-Book Platform
Barnes & Noble Investigates Hacking Incident
Barnes & Noble informed customers via email of a cyber incident that may have compromised some of their personal information.

Book retailer Barnes & Noble is investigating a security incident involving unauthorized access to its corporate systems, including those storing customers' email addresses as well as billing and shipping addresses and telephone numbers.

See Also: Live Webinar | Securing Mobile Endpoints to Protect IP in the Pharma Industry

The company, which notified customers Wednesday, says in a statement that, to begin its mitigation efforts, it shut down its systems after the incident, which meant its Nook e-book platform was knocked offline.

The company says no payment card or financial information was compromised because this data is encrypted and tokenized. As for the other customer information, the company says in the notification: "We currently have no evidence of the exposure of this data, but we cannot at this stage rule out the possibility."

A Barnes & Noble spokesperson tells Information Security Media Group that the company immediately hired a cybersecurity firm to deal with the situation.

The company spokesperson did not indicate what type of attack took place or how many customers were notified that their data may have been exposed. The customer notification notes the company was "made aware" of the incident on Saturday.

Notice sent to Barnes & Noble customers Wednesday about possible data breach

Restoring Network Access

Barnes & Noble says that, over the course of this week, it has "cautiously restored our networks, which by its nature has taken time."

The book retailer took to Twitter on Wednesday to inform customers that its Nook e-reader systems are taking longer to restore than originally anticipated.

Chloé Messdaghi, vice president of strategy for Point3 Security, says she's surprised the company did not tell its customers to change their passwords - a move she suggests all customers take.

POS System Affected?

The company's in-store point-of-sale systems were also temporarily affected, according to the trade publication Good e-Reader, which cited store managers who contacted the news site.

Barnes & Noble did not confirm this aspect of the attack.

If the POS systems were knocked offline, the company needs to do a better job segmenting its networks, says Ilia Sotnikov, a vice president at the security firm Netwrix.

"If [segmentation is] done correctly, the virus that started in the corporate office should not have made its way to the cash desks and prevented orders from being placed. Also, it limits the attack surface, and makes it easier to investigate the incident and close security gaps," Sotnikov says.

Barnes & Noble suffered a payment card-related breach in 2012 that affected 63 of its stores and forced the company to replace the payment card readers at all of its locations (see: POS Breach Highlights Fraud Trend).

Time to Rethink Security

"The Barnes & Noble breach is another good reminder to keep software, firmware and operating systems up to date and patched, and for organizations to consider implementing newer technologies like Runtime Application Self-Protection (RASP) as well as the recent update that the National Institute of Science and Technology made to its security framework, SP800-53 Revision 5," says Jayant Shukla, CTO and co-founder of K2 Cyber Security.

Tim Wade, technical director of the CTO team at security firm Vectra, adds: "Poor IT hygiene routinely finds itself at the core of compelling events like this. And one of the challenges that security teams face is communicating the risks that their peers in the IT organization are forcing the business to accept when critical patching activities are neglected."

Keeping abreast of ongoing threats, as well as ensuring every endpoint is monitored, is necessary to ensure corporate and customer data remains secure, says Hank Schless, senior manager of security solutions for the mobile security firm Lookout.

"Attackers are constantly looking to take advantage of any weak point in your security posture just to gain entry to IT infrastructure," he says.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.