IKEA Canada has suffered an internal data breach that impacted 95,000 Canadians. 

In a statement to Global News, the company confirmed the breach and said the company acted quickly to prevent the data from being used, stored or shared with any third parties. No banking or financial information was accessed, IKEA said. 

Some of its customers’ personal information appeared in a generic search made by an IKEA employee between March 1-3, using Ikea’s customer database. “While we can’t speculate as to why the search was made, we can share that we have taken actions to remedy this situation,” IKEA Canada PR leader Kristin Newbigging said.

The company has submitted a breach report to the Office of the Privacy Commissioner of Canada, as well as any applicable customers. “At IKEA, the security of our customers’ private information is of utmost importance... We have also reviewed and updated internal processes to prevent such incidents in the future,” the statement noted. “No action is required by our customers.”

Erfan Shadabi, a cybersecurity expert at comforte AG, notes that the data breach is a reminder of insider threats. “When we hear of careless handling of sensitive information, we begin to wonder just how secure our own data is within the many different data ecosystems housing and processing it,” Shadabi adds. 

In fact, a survey report, “2020 Cost of Insider Threats: Global Report” from the Ponemon Institute, revealed that the number of insider threats increased by 47%, from 3,200 in 2018 to 4,716 in 2020. It also revealed that the cost of insider threat incidents also surged by 31%, from $8.76 million in 2018 to $11.45 million in 2020.

Even if they don’t have access and rights to all information within the organization, employees are usually granted a certain level of trust with enterprise data, Shadabi explains. A similar survey by Gurucul conducted at the 2020 RSA Conference also found that 65% of professionals said they access documents that have nothing to do with their jobs, and 40% admitted to abusing their privileged access. 

“Working from the inside with an implied level of trust means that the inside job has more time to develop and execute an effective exfiltration strategy,” Shadabi says.