Nordstrom Quick to Tell Employees of a Data Breach
The Seattle-based retailer suffered a data breach in which a wide range of personal information was exposed. In addition to disclosing employee names, their Social Security numbers and dates of birth, checking account and routing numbers, salaries and more were also revealed.
Co-president Blake Nordstrom reportedly apologized to employees in an email in which he had notified staff about the data breach. According to a statement from the company, the anomalous activity was detected on October 9, 2018, after a contract worker had inappropriately handled some Nordstrom employee data.
What followed was what Terry Ray, CTO at Imperva, said was protocol worthy of a pat on the back. “Employee data was collected and given to a third party, most likely to manage direct deposits of wages, certainly not unusual in business and a necessary reason to gather such data.”
While the contract worker inadvertently exposed data, Nordstrom reportedly has taken appropriate action in responding to the incident, which is currently being investigated.
"Nordstrom’s own security team became aware of the exposure in a reasonable time. Many breaches and exposures aren’t identified for months or years and, often times, not disclosed in a reasonable amount of time," said Ray.
"Additionally, most breaches are identified by external researcher or law enforcement before the company; however, this is not the case with Nordstrom. Nordstrom knows what was exposed – employee data (names, addresses, banking details) – not customers' [data]. In more than half of breaches and exposures companies do not know what data was exposed or stolen. Nordstrom then took immediate steps to remediate, removing the contract worker and putting additional controls put in place."
Though no evidence of data theft has been discovered, the company has been proactive about notifying all employees of the incident.
"Taking that a step further, Nordstrom offered affected employees two years of identity theft protection, which companies often only offer post breach, for exposure. All in all, Nordstrom appears to be handling this exposure very responsibly. Kudos to them,” Ray said.
Source: Information Security Magazine