Barnes & Noble, American bookseller, has notified customers of a possible data breach that may have affected their personal information. 

According to a Tripwire report, the company sent an email, which read, “It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.”

“Your payment details have not been exposed. Barnes & Noble uses technology that encrypts all credit cards and at no time is there any unencrypted payment information in any Barnes & Noble system. No financial information was accessible. It is always encrypted and tokenized.”

The company, however, notes that the systems impacted did contain email addresses, as well as billing and shipping address, and telephone number if they were supplied by the users. 

Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers, notes that incident response can be complex and messy, and the Barnes and Noble statement likely reflects that reality. "We’ll know more as more facts come to light, though it’s not surprising to hear that there may have been an unpatched system at the root of this problem – Poor IT Hygiene routinely finds itself at the core of compelling events like this and one of the challenges that security teams face is communicating the risks that their peers in the IT organization are forcing the business to accept when critical patching activities are neglected.”

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, explains that for organizations, it can be difficult to monitor every endpoint and identify every CVE, but it’s necessary in order to properly secure both corporate and customer data. 

"Attackers are constantly looking to take advantage of any weak point in your security posture just to gain entry to IT infrastructure. Once they get their foot in the door, they can move laterally until they find valuable data that they can exfiltrate and profit from. This highlights the importance of having visibility into the security posture of every part of your infrastructure - from VPN servers to mobile devices with access to the corporate data," says  Schless. "VPN was the first thing many organizations turned to for securing remote workers at the start of the pandemic, and for good reason. However, those that haven’t advanced their remote security strategy past that are exposing themselves to risk. VPN connections themselves are secure, but the real risk lies in the devices that use them. Computers, smartphones, and tablets all have the same level of access to corporate infrastructure in order to keep productivity high from anywhere. If a device using the organization’s VPN is infected with malware, they could mistakenly introduce that malware into the infrastructure."

Schless adds, "In order to make sure your infrastructure is as secure now as it was when everyone was working in the office, you need to secure computers and mobile devices with the same level of priority.” 

Tripwire reports that, in August, ZDNet reported that plaintext usernames and passwords for over 900 Pulse Secure VPN enterprise servers were being distributed on a Russian-speaking hacking forum. Barnes & Noble was one of the companies included in the offering. 

Kacey Clark, Threat Researcher at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “As security researchers noted, it's possible that attackers accessed Barnes & Noble systems by exploiting unpatched Pulse Secure VPN Server. Many successful attacks that leverage this vulnerability, notably including those conducted by REvil (AKA Sodinokibi), enable attackers, without valid credentials, to perform remote code execution and access the victim network."

In this scenario, Clark says, defense-in-depth is the best strategy. "It's imperative to underline the importance of patching out-of-date systems, encrypting payment data, securing customer details, and enabling multi-factor authentication (MFA) where it's available. You might not be able to stop every attacker, but if you make the time investment of more than a few keystrokes, they may decide to move on," Clark adds. "Additionally, table-top exercises (TTXs) are a cost effective measure of playing out the "what if" of a ransomware attack, for example, deciding whether or not a ransom should be paid and who should be responding to such an attack.”