What you Need to Know About the Nordstrom Hack

Nordstrom Blames Breach of Employee Data on Contractor.

Luxury department store chain, Nordstrom announced they recently experienced a data incident in what appears to be an insider threat incident from a contractor. The exposed data evidently included names, Social Security numbers, birthdates, checking account and routing numbers, and employee salary information.

While Nordstrom isn't providing many details on exactly what the incident was or who had access to the data, it does serve as a great learning lesson. We may not have all the details, but events like these highlight several points to keep in mind:

As we shop online, it is becoming progressively more difficult to protect our own data. Similar to the Equifax hack, we have become dependent on organizations like Nordstrom to protect our information, and when those protections fail, it is the consumer who often feels the most pain.
Contractors and vendors alike are increasingly becoming a difficult risk to manage. In most cases, contractors and vendors do not cause incidents with malicious intent. We generally see accidental incidents. These third parties are given trusted access to data and systems similar to employees, but they aren't generally held with the same expectations to undergo the proper security training.
Malicious insider threats can be one of the most difficult threats to detect and manage, as the frequency of such incidents is comparatively very low, but the impact is very high.

In each of these cases, security awareness training plays an invaluable role. Technology alone can no longer solve the cybersecurity challenge. For the consumer, training on the basics can go a far way in protecting themselves from threats.

When organizations can offer a more formalized, comprehensive security awareness program, they can not only work to manage their employee risk, but also begin to manage the growing risk from contractors and third party vendors.

For more information about some free public resources we provide, check out our series of the OUCH! security awareness newsletter.

About the Author

Lance Spitzner

Director, SANS Security Awareness

Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.