Bed, Bath & Beyond confirmed a data breach from a targeted phishing attack against one of its employees.
In October 2022, the big box retailer noticed that a third party had improperly accessed its data after a successful phishing scam by an unnamed threat actor. The attacker accessed data on the employee’s hard drive and shared drives that the employee could access.
With outlets in 950 locations in the US, Canada, Mexico, and Puerto Rico, Bed, Bath & Beyond is a Fortune 500 company with a market cap of about $0.35 billion and $7.87 billion in revenues in 2022.
Beth, Bath & Beyond reviewing possible information leakage after a phishing attack
Bed Bath & Beyond said it was reviewing the data breach to determine if the drives contained any sensitive information.
“The Company is reviewing the accessed data to determine whether these drives contain any sensitive and/or personally identifiable information,” stated the company in its 8K filing to the U.S. Securities and Exchange Commission.
However, Bed, Bath & Beyond believes that no sensitive or personally identifiable information was accessed during the phishing attack. Additionally, the retail giant predicts that the cybersecurity incident would have no material impact on the company.
“At this time the Company has no reason to believe that any such sensitive or personally identifiable information was accessed or that this event would be likely to have a material impact on the Company.”
Bed, Bath & Beyond was very economical with the details and did not provide more information about the phishing attack. The company also did not estimate the number of customers impacted by the data breach.
The disclosure was followed by the announcement of a planned exit of the company’s customer and technology officer Rafeh Masood on December 2, 2022. However, Masood’s departure seems unrelated to the recent data breach or any developments at the company.
Arti Raman, CEO, and founder of Titaniam, advocated for sympathy, indicating that a phishing attack could impact any organization.
“A phishing attack could happen to any of us, and there are statistics to prove it. Data suggests that phishing accounts for around 90% of data breaches. So the first response we must have as a community is empathy for the victims.”
She recommended investment in phishing awareness training to keep employees on “the top of their minds regarding security.”
“For IT administrators, ongoing security awareness training and simulated phishing for employees are highly recommended to keep security top of mind throughout the organization.”
Raman also recommended ‘data-in-use encryption’ to prevent cyber criminals from misusing stolen data after a successful data breach.
“Encryption-in-use is already being used by leading enterprises to secure both structured and unstructured data across clouds, on-prem, and hybrid environments,” she said. “It is available for state-of-the-art cloud environments as well as legacy infrastructure and helps neutralize all possible data-related leverage and dramatically limits the impact of data exposure, ransomware, and/or breach.”
Tim Prendergast, CEO at strongDM, said that phishing was the “means to the end” for every cybercriminal hoping to access improperly stored credentials because they are “VIP passes into databases, and servers.”
“Once attackers get those valid credentials, they have oftentimes unlimited access internally. Rather than point fingers, because in truth this could have happened to anyone, it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure.”
Second data breach in three years
This incident marks the second time Bed, Bath & Beyond reported a data breach after a credential stuffing attack in 2019 compromised less than 1% of its customer accounts.
According to the company, hackers obtained usernames and passwords from an external data breach and relied on users’ password reuse to compromise Bed, Bath & Beyond accounts. On October 29, 2019, Bed, Bath & Beyond began notifying customers and hired a cyber forensics firm to investigate the incident.