Barnes & Noble, one of the world's largest online bookstores, confirmed this week that hackers gained access to several corporate systems that contained readers' personal data, forcing the bookseller to grapple with outages and connectivity issues.
Barnes & Noble is among the world's largest online bookstores, not only offering over 1 million titles to customers at any point in time but also eBooks, magazines, toys & games, music, DVD, and Blu-ray products. The company runs Nook, a popular eBook reader, and also offers millions of new and used items from a network of trusted sellers via the B&N Marketplace.
Earlier this week, customers started complaining about not being able to download books which they had purchased from the company's platforms and not being able to find any content in their libraries. This led many to speculate that Barnes & Noble may have suffered a cyber attack that caused the disruptions.
Hackers accessed phone numbers, emails, and addresses of Barnes & Noble customers
Confirming the rumours, the company accepted in an emailed statement to customers that it had indeed suffered a cyber attack on 10th October that allowed hackers to gain access to several corporate systems that stored customer data such as email addresses, telephone numbers, and billing and shipping addresses.
"It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems," the company said.
"Firstly, to reassure you, there has been no compromise of payment card or other such financial data. These are encrypted and tokenized and not accessible. The systems impacted, however, did contain your email address and, if supplied by you, your billing and shipping address and telephone number. We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility.
"Barnes & Noble uses technology that encrypts all credit cards and at no time is there any unencrypted payment information in any Barnes & Noble system. No financial information was accessible. It is always encrypted and tokenized. It is possible that your email address was exposed and, as a result, you may receive unsolicited emails.
"While we do not know if any personal information was exposed as a result of the attack, we do retain in the impacted systems your billing and shipping addresses, your email address and your telephone number if you have supplied these. We also retain your transaction history, meaning purchase information related to the books and other products that you have bought from us," it added.
Hackers will certainly use stolen customer data to launch phishing attacks
There is no confirmation yet whether the company suffered a ransomware attack or whether hackers gained access to its systems via a phishing attack. However, as hackers gained access to customer data that was stored by Barnes & Noble, it is very likely that they will use the data to launch phishing attacks directed at unsuspecting customers.
Paul Bischoff, Privacy Advocate at Comparitech.com, said customers should be on the lookout for phishing messages to their phones and email accounts from scammers posing as B&N or a related company. Fraudsters could use the personal details in the exposed database to tailor phishing messages and make them seem more convincing.
"In this case, where cybercriminals have access to additional data, better and more believable phishing emails can be crafted to scam individuals to give up the data they truly desire. Therefore, it is critical that individuals are on the lookout for any suspicious emails requesting data," said Boris Cipot, senior security engineer at Synopsys.
"No company will ask you for your personal information such as your social security number, credit card information, or the like, through an email. If they call you to request this data, it is best to say that you will call back and do not continue discussions unless authentication of the caller is verified.
"There are many scams being conducted with identity theft. In Germany, for example, we had cases where scammers used stolen identities to buy phones and tablets, picking them up with fake IDs. So, be on guard and do not fall victim to scams," he added.
Read More: ICO fines British Airways £20m for 2018 data breach