Breach Notification , Business Continuity Management / Disaster Recovery , Governance & Risk Management
Barnes & Noble Investigates Hacking IncidentSystem Housing Customer Data Accessed; Company Takes Down Nook E-Book Platform
Book retailer Barnes & Noble is investigating a security incident involving unauthorized access to its corporate systems, including those storing customers’ email addresses as well as billing and shipping addresses and telephone numbers.
The company, which notified customers Wednesday, says in a statement that, to begin its mitigation efforts, it shut down its systems after the incident, which meant its Nook e-book platform was knocked offline.
The company says no payment card or financial information was compromised because this data is encrypted and tokenized. As for the other customer information, the company says in the notification: “We currently have no evidence of the exposure of this data, but we cannot at this stage rule out the possibility.”
A Barnes & Noble spokesperson tells Information Security Media Group that the company immediately hired a cybersecurity firm to deal with the situation.
The company spokesperson did not indicate what type of attack took place or how many customers were notified that their data may have been exposed. The customer notification notes the company was “made aware” of the incident on Saturday.
Restoring Network Access
Barnes & Noble says that, over the course of this week, it has "cautiously restored our networks, which by its nature has taken time."
The book retailer took to Twitter on Wednesday to inform customers that its Nook e-reader systems are taking longer to restore than originally anticipated.
We are continuing to experience a systems failure that is interrupting NOOK content. We are working urgently to get all NOOK services back to full operation. Unfortunately, it has taken longer than anticipated, and we sincerely apologize for this inconvenience and frustration. 1/2— NOOK (@nookBN) October 14, 2020
Chloé Messdaghi, vice president of strategy for Point3 Security, says she’s surprised the company did not tell its customers to change their passwords – a move she suggests all customers take.
POS System Affected?
The company's in-store point-of-sale systems were also temporarily affected, according to the trade publication Good e-Reader, which cited store managers who contacted the news site.
Barnes & Noble did not confirm this aspect of the attack.
If the POS systems were knocked offline, the company needs to do a better job segmenting its networks, says Ilia Sotnikov, a vice president at the security firm Netwrix.
"If [segmentation is] done correctly, the virus that started in the corporate office should not have made its way to the cash desks and prevented orders from being placed. Also, it limits the attack surface, and makes it easier to investigate the incident and close security gaps," Sotnikov says.
Barnes & Noble suffered a payment card-related breach in 2012 that affected 63 of its stores and forced the company to replace the payment card readers at all of its locations (see: POS Breach Highlights Fraud Trend).
Time to Rethink Security
"The Barnes & Noble breach is another good reminder to keep software, firmware and operating systems up to date and patched, and for organizations to consider implementing newer technologies like Runtime Application Self-Protection (RASP) as well as the recent update that the National Institute of Science and Technology made to its security framework, SP800-53 Revision 5," says Jayant Shukla, CTO and co-founder of K2 Cyber Security.
Tim Wade, technical director of the CTO team at security firm Vectra, adds: "Poor IT hygiene routinely finds itself at the core of compelling events like this. And one of the challenges that security teams face is communicating the risks that their peers in the IT organization are forcing the business to accept when critical patching activities are neglected.”
Keeping abreast of ongoing threats, as well as ensuring every endpoint is monitored, is necessary to ensure corporate and customer data remains secure, says Hank Schless, senior manager of security solutions for the mobile security firm Lookout.
"Attackers are constantly looking to take advantage of any weak point in your security posture just to gain entry to IT infrastructure,” he says.