Book retailer Barnes & Noble Booksellers Inc. (No. 76 in the 2020 Digital Commerce 360 Next 1000) acknowledged this week it suffered an online security breach Oct 10 that might have exposed customers’ email addresses, billing and shipping addresses and telephone numbers. The systems attacked also include customers’ transaction histories, such as when they made a purchase.

In an email to customers, the retailer says, “there has been no compromise of payment card or other such financial data. These are encrypted and tokenized and not accessible.” Barnes & Noble also says it has no evidence that hackers obtained any personal customer information stored on its systems but could not rule out the possibility.

In a statement, Barnes & Noble said it responded to the breach by engaging a “firm of cybersecurity consultants to evaluate the nature of the threat” and cautiously restored its systems with the firm’s help, after closing them down once tit suspected cybersecurity attack was in progress. 

“We acted as quickly as we could, given the circumstances, and notified customers once we were able to give credible information of what happened. As of writing, the cybersecurity consultants have detected no evidence of data having been exposed. We have acted, therefore, with an abundance of caution. We regret sincerely that in so acting, we have caused disruption to our customers, especially those of Nook,” the statement said.

Nook is the brand name of Barnes & Noble’s line of e-readers and associated reading apps and the retailer’s e-book store. According to media reports, some Nook users were temporarily unable to access their online Nook libraries and experienced connectivity problems while Barnes & Noble dealt with the attack.

When online criminals attack global retailers like Barnes & Noble, the implications can be more significant than for other merchants, says W. Curtis Preston, chief technical evangelist at data protection, recovery and management Druva Inc. In this case, Preston says, the disruption to the retailer’s operations was significant while systems were down. The attack not only affected B&N’s corporate information technology systems but the Nook e-reader platform as well, leaving Nook users unable to download books to their devices. At the same time, cash registers at B&N stores were rendered unusable for a time, he says.

“More troubling, however, is that a user’s purchase history could potentially have been breached, which could theoretically lead to blackmail or other repercussions if that data were published,” Preston says. Currently, however, there is no evidence yet if hackers took the information.

Preston says that retailers need to know when they are most vulnerable to minimize their exposure to online attacks. For example, he says, most attacks happen outside regular working hours and over weekends—times IT staff might not be working or could be under-staffed.

If the intruders stole data, the attack on Barnes & Noble could severely affect customers —even if that doesn’t happen right away, says Matthew Gardiner, cybersecurity strategist online security firm Mimecast Ltd. 

“It isn’t always clear why cybercriminals take the data they take. Sometimes they don’t know what they have taken until they take it. And while a breach of your email address and home address may not sound like too big of a deal—and it isn’t compared with your banking and health information—it still has value to attackers,” Gardiner says.

He says hackers will often use email addresses in another stage of the attack, such as potentially imitating communications from Barnes & Noble—or sell it to someone who could. Hackers also might use the breached data to emulate the identities of law enforcement, credit bureaus, or any other organizations consumers might expect to hear from or trust.

“To that end, malicious actors could even use your reading history against you. For Barnes & Noble, it is concerning that a key service—the Nook—was taken down as a result of the attack,” Gardiner says. “It is so critical, in particular, in this time of mass transition to online commerce, that services remain continuous and resilient or revenue going forward could be lost.”

According to Mimecast data, the threat of online crime against retailers has grown dramatically since the coronavirus pandemic started.

• Retail and wholesale were the hardest hit industries by opportunistic attacks, experiencing more than 2.5 million attacks between January and June of 2020.
• The retail and wholesale were the third-most targeted sectors for spam (more than 28 million instances) and impersonation attacks (more than 14 million attacks).
• State-sponsored advanced persistent threat (APT) actors took advantage of increases in ecommerce as more folks turned to online shopping. Such actors can often gain access to a computer network and remain undetected for extended periods.