A suspected ransomware attack on Barnes & Noble denied readers access to their libraries and leaked their personal information. The major bookseller sent an email notifying customers of the cyber attack that exposed their personal information, including transaction history and email addresses.
Many customers were locked out of their accounts while point of sale systems became inoperable during the October 10 cyberattack. Barnes & Noble disclosed that it stored personal information on the affected systems and that hackers might have accessed it.
However, the bookseller clarified that the data breach did not expose customers’ financial information, including payment card information. Barnes & Noble stocks over 1 million titles and operates the NOOK service ebook reader and storage platform.
Details of the Barnes & Noble data breach
The company experienced systems failure, which affected NOOK content during the initial stages of the attack, and Barnes & Noble customers took to social media to complain about service disruption.
Some users protested that they could not pay for their books or access their already purchased libraries. The disruption also affected brick and mortar stores where the point of sale systems across the United States suffered a major glitch.
Barnes & Noble email alert acknowledged the cyber attack
Barnes & Noble partially restored its systems on Tuesday before acknowledging the cyber attack a day later. In a statement, the company regretted that the restoration of its systems had taken longer than anticipated. Later, Barnes & Noble sent an email to its customers, acknowledging an “unauthorized and unlawful access” to its corporate networks.
Barnes & Noble also disclosed that it stored customers’ details, such as billing and shipping addresses, email addresses, and phone numbers on the affected systems. The company also admitted that it could not verify if personal information was exposed during the data breach. The bookseller alerted customers of potential unsolicited emails related to the cyber attack. However, Barnes & Noble did not disclose the number of customers affected by the data breach.
Although the data breach did not compromise payment information, the exposed data could be combined with other details such as social security numbers to create personal profiles for identity theft purposes. Hackers could also use the customers’ purchase history to blackmail readers with embarrassing or sensitive reading preferences.
Barnes & Noble data breach indicators of compromise
Speculations suggest that Barnes & Noble’s data breach involved a ransomware payload. The bookseller was alleged to have been running Pulse Secure VPN servers with an unpatched vulnerability CVE-2019-11510, which allows hackers to steal usernames and passwords to infiltrate corporate systems, install ransomware, and exfiltrate data.
It was earlier reported that a Russian-speaking hacker forum was selling over 900 plaintext login details associated with the Pulse Secure VPN vulnerability. And Barnes & Noble’s login credentials were on the list.
Chloé Messdaghi, VP of Strategy at Point3 Security, believes that the data breach originated from phishing attacks.
“It is possible that the breach might have arisen from phishing – an internal staff member may have clicked a bad link or executable that gave the malware an entry point,” Messdaghi says, “Phishing succeeds when organizations are less diligent than they need to be about keeping employees continuously trained to spot and double-check potential phishing emails. Once again, we see that apathy is expensive!”
She advises Barnes & Noble customers to change their passwords to secure their accounts from possible unlawful takeover by cybercriminals. Chloé demonstrated how a possible attack scenario might look like:
“For example, a consumer might get a message saying ‘Thank you for your previous order, we have unintentionally overcharged you and would like to issue a refund. Please reconfirm your payment data.’ Or a consumer might get an SMS phishing-lure message claiming to be from a bank, falsely confirming a large transfer of funds, with a phony number to call if the fraudulent transfer wasn’t authorized, which it, of course, wasn’t.”
“Breaches on high profile targets like this newly reported one at Barnes and Noble continue to dominate security headlines,” said Timothy Chiu, Vice President of Marketing at K2 Cyber Security. “While we still don’t know the exact source of this breach, it’s likely to have started with an attack on a vulnerable application.”
Chiu added that the Barnes & Noble data breach was a reminder that organizations should keep their software updated to prevent threat actors from exploiting known vulnerabilities. He also advises organizations to adopt “newer technologies like Runtime Application Self-Protection (RASP), as recently required by NIST in their latest security framework SP800-53 Revision 5.”