Breach, Threat Management, Data Security, Malware, Phishing

Bed Bath & Beyond declares data incident

Home goods retailer Bed Bath & Beyond yesterday disclosed in a Securities & Exchange Commission 8-K filing that an unauthorized third party illegally accessed one percent of its online customers' accounts.

The online intruder acquired the account emails and passwords from a "source outside the company's systems," the Union Township, N.J. retailer reported. Based on this account, the incident may have therefore been a case of credentials stuffing, or a third-party data breach or phishing attack.

Payment card information was reportedly not affected.

Bed Bath & Beyond said that in response to the unauthorized access, it hired a forensics firms to investigate, "implemented remedial measures" and "sent notifications to certain customers as required by applicable legal requirements."

"Due to the limited nature of the security incident and the company’s cyber incident insurance coverage, the company does not expect this security incident to have a material adverse effect on its results of operations, cash flows or financial condition for any fiscal period," the retailer stated in the filing.

Colin Bastable, CEO of security training and awareness company Lucy Security, said, "The most likely point of entry is through a third-party supplier of services to the company, and the odds are over 90 percent in favor of the attack being initiated by a phishing email, perhaps a spoof email, one that appears to be from someone else."

"The message for employees is: Don’t use work email addresses on third-party web sites, and learn to spot phishing and spearphishing emails," Bastable continued. "For affected BB&B customers, the risk is significant. The bad guys don’t need a password to phish you, just a valid email. How do they know that the next marketing email is really from Bed Bath & Beyond?"

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.