Nordstrom Blames Breach of Employee Data on Contractor.
Luxury department store chain, Nordstrom announced they recently experienced a data incident in what appears to be an insider threat incident from a contractor. The exposed data evidently included names, Social Security numbers, birthdates, checking account and routing numbers, and employee salary information.
While Nordstrom isn't providing many details on exactly what the incident was or who had access to the data, it does serve as a great learning lesson. We may not have all the details, but events like these highlight several points to keep in mind:
- As we shop online, it is becoming progressively more difficult to protect our own data. Similar to the Equifax hack, we have become dependent on organizations like Nordstrom to protect our information, and when those protections fail, it is the consumer who often feels the most pain.
- Contractors and vendors alike are increasingly becoming a difficult risk to manage. In most cases, contractors and vendors do not cause incidents with malicious intent. We generally see accidental incidents. These third parties are given trusted access to data and systems similar to employees, but they aren't generally held with the same expectations to undergo the proper security training.
- Malicious insider threats can be one of the most difficult threats to detect and manage, as the frequency of such incidents is comparatively very low, but the impact is very high.
In each of these cases, security awareness training plays an invaluable role. Technology alone can no longer solve the cybersecurity challenge. For the consumer, training on the basics can go a far way in protecting themselves from threats.
When organizations can offer a more formalized, comprehensive security awareness program, they can not only work to manage their employee risk, but also begin to manage the growing risk from contractors and third party vendors.
For more information about some free public resources we provide, check out our series of the OUCH! security awareness newsletter.