Barnes & Noble is warning that it has been hacked, potentially exposing personal data for shoppers – and offering phishers an early holiday gift.
The book purveyor sent out emailed notices to customers very late Wednesday night and in the wee hours of Thursday morning, warning that a cyberattack happened on October 10, “which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.”
Its IT team “doesn’t know” yet if customer info was exposed, but the systems that were hit contained personal data, so it may have been. The potential trove includes personally identifiable information tied to the bookseller’s ecommerce activities, including email addresses, billing and shipping addresses, and telephone numbers; as well as transaction and purchase histories.
On the payment-card front, financial data is “encrypted and tokenized and not accessible,” according to the notice. “At no time is there any unencrypted payment information in any Barnes & Noble system.” The notice also didn’t mention names or dates of birth being part of the database.
Many took to Twitter to express frustration with the late-night email notices, and to express consternation over what in the database could be of use to hackers.
Woke up to an email from Barnes and Noble saying they were hacked. What do hackers want with my reading list? They’re going to find a whole lot of @exlarson but I happily share that information with anyone who will listen. 📚
— Spirit Bear (@SpiritbearNY) October 15, 2020
But even without credit-card or full identity fraud in the offing, the data is all that’s needed for crooks and phishers to mount convincing, personalized email campaigns bent on harvesting credentials or financial data.
According to the notice:
“It is possible that your email address was exposed and, as a result, you may receive unsolicited emails.
While we do not know if any personal information was exposed as a result of the attack, we do retain in the impacted systems your billing and shipping addresses, your email address and your telephone number if you have supplied these.
We also retain your transaction history, meaning purchase information related to the books and other products that you have bought from us.”
Other details are scant for now, but Threatpost has asked the retail giant for additional information. We also reached out to security researchers for their take on the incident, and will update this post with any relevant comment.
The company did offer condolences in what’s become a boilerplate response to data breaches: “We take the security of our IT systems extremely seriously and regret sincerely that this incident has occurred,” according to the notice. “We know also that it is concerning and inconvenient to receive notices such as this. We greatly appreciate your understanding and thank you for being a Barnes & Noble customer.”