Cyberattack on Barnes & Noble May Have Exposed Customer’s Personal Details

A Barnes and Noble store in New York, US

For some customers, the cyberattack that impacted Barnes & Noble’s e-reader platform, Nook, may have more serious consequences than a temporary disruption of Nook services. Although customer’s financial data has not been exposed, their email addresses, purchase information and transaction history were potentially leaked.

Personal Details Exposed

Bookseller Barnes & Noble became aware of a potential data breach last week. This is when they sent customers an email notifying them of a cyberattack. The bookstore chain clarified that the Nook e-reader outage was the result of a cyberattack.

They also confirmed that credit card information and other financials were not among the exposed data. All financial data was “encrypted and tokenized”, said the notice. However, according to the same email, billing and shipping addresses, email addresses and telephone numbers were also held in the impacted systems. While there is “no evidence that this data was exposed”, Barnes & Noble did confirm that they “cannot at this stage rule out the possibility”.

Eventually, the outage also spread to their brick-and-mortar stores. For a brief period, some cash registers were not functioning. The bookseller’s systems were largely restored last Tuesday. However, engineers are still working hard to get all Nook services back to full operation. This is taking longer than anticipated. Barnes & Noble did not disclose how many customers may have been impacted by the data breach.

Unsolicited Emails, Texts or Phone Calls Likely

While the data may not be worth much to the hackers on its own, personal details are valuable goods on the dark web. Along with other information obtained through, for example, previous data breaches, hackers can combine information to create “full profiles”. Worst case, this information can be used to steal people’s identity and subsequently use someone else’s name to engage in fraudulent or criminal activities.

At the very minimum, customers might see an influx in unsolicited emails and spear phishing attempts. Again, it is likely that the cybercriminals’ aim is to gather more personal details or sensitive information. By knowing what a person likes to read or what books they bought, they are capable of tailoring their phishing campaign to the victim’s profile. They could even send customers an email pretending to be Barnes & Noble to trick them into clicking on a malicious link or to download malware.

Barnes & Noble was proactive in notifying their customers. As a result, it’s likely that customers could be more aware of an increase in unsolicited emails and phishing attempts. This gives them a chance to be more vigilant and take extra security measures. Too often, it takes weeks or even months before a potential data breach is disclosed and customers are notified.

Possible Ransomware Attack

Several security experts stated that Barnes & Noble’s cyberattack has characteristics of a ransomware attack. However, this has not been confirmed. Cybersecurity intelligence firm Bad Packets told Bleeping Computer that the bookstore chain’s VPN servers were previously vulnerable to CVE-2019-1150. This vulnerability had been made public in August last year.

Unpatched Pulse Secure VPN servers have been exploited before. On New Year’s Eve 2020, for example, a ransomware attack struck Travelex. Reports at the time suggested that the attack was made possible due to an unpatched CVE-2019-1150 vulnerability. This combined with the effects of Covid-19 forced Travelex into administration in August 2020.

Currently, Barnes & Noble’s Nook platform is still down. The book giant has adviced customers to remain vigilant. It is possible that the breach is bigger than the bookstore chain currently knows. If this is the case, we are likely to hear more in the coming days.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For she follows relevant cybercrime and online privacy developments.