Data Loss Prevention (DLP) , Governance & Risk Management , Incident & Breach Response

Nordstrom Blames Breach of Employee Data on Contractor

Breach Exposed Social Security Numbers, Birthdates, Salaries, Bank Account Data
Nordstrom Blames Breach of Employee Data on Contractor
A Nordstrom store in New York (Photo: Nordstrom)

The department store chain Nordstrom says it doesn't believe that employees' personal data, which was exposed in an October data breach due to a contractor's error, has been misused.

See Also: Real-World Strategies for Securing Remote Workforces and Data

The Seattle-based retailer has issued a statement saying that a contract worker "improperly handled some Nordstrom employee data" and that no customer data was exposed.

"The contract worker who improperly handled this information no longer has any access to our systems, and we're putting additional measures in place to help prevent this from happening again," according to the statement. "We have no evidence data was shared or used inappropriately."

Nordstrom operates 380 stores in 40 states, Puerto Rico and Canada: 122 full-line stores, 244 Nordstrom Rack locations, six Trunk Club clubhouses, three Jeffrey boutiques, two clearance stores and three Nordstrom Local locations.

One of the major fears of companies is the so-called "insider threat," where an employee or other person - in this case, a contractor - does something damaging, either intentionally or inadvertently. It can be a difficult vector to guard against, although some organizations use software to monitor if data is exported en masse or access violates normal behavior trends.

It wasn't clear from Nordstrom's statement if the contractor who mishandled the data had malicious intentions. But Nordstrom says "we take this situation seriously and apologize to our employees."

Financial Details Leaked

The exposed data includes names, Social Security numbers, birthdates as well as checking account and routing numbers and salaries, Nordstrom said. The Seattle Times reports that the incident took place on Oct. 9. Nordstrom, which is a publicly traded company, didn't say how many workers have been affected.

The upscale retailer says data breach victims will be offered two years of prepaid identity theft monitoring services.

Nordstrom says it has contacted law enforcement and started a "comprehensive investigation." Under Washington state law, organizations affected by a breach are required to notify all breach victims within 45 days of discovering the breach, as well as to notify the state attorney general's office.

"The contract worker who improperly handled this information no longer has any access to our systems, and we're putting additional measures in place to help prevent this from happening again."
—Nordstrom

The Seattle Times reports that some employees have already received data breach notifications via email. But there's no notice yet on the Washington attorney general's web page that lists breach notifications.

How a company's reputation holds up post-breach is often related to how it handles outreach after an incident, says Ryan Wilk, vice president of customer success with NuData Security. "That is why Nordstrom's response time to this data breach incident is laudable as well as their attempts at transparency," he says.

Rising Number Of Breach Victims

Three years ago, Washington modified its mandatory breach reporting law, requiring a report to be filed when a breach affects 500 or more people in the state.

According to Washington's 2018 Data Breach Report, the attorney general's office is recommending that the reporting deadline be reduced from 45 to 30 days. Attorney General Bob Ferguson also would like policymakers to require that breached entities file a preliminary notification to its office within 10 days and expand the definition of personally identifiable information.

Bob Ferguson

"Policymakers should also consider taking further steps to strengthen our data breach notification laws so that Washingtonians can take appropriate steps when their personal information has been compromised," Ferguson writes in the report's introduction.

The recommendations are the result of the findings of the report, which covered a one-year period starting in July 2017.

While the number of reported breaches in the state fell during the one-year period, a total of 3.4 million individuals were affected, far more than in the previous year. "This sharp increase was a result of a single serious breach from one of the three major nationwide credit reporting agencies, Equifax Inc.," the report says. "This breach compromised the personal information of an estimated 3.2 million Washingtonians." (See: Postmortem: Multiple Failures Behind the Equifax Breach).


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.