The home goods retailer has announced that an unauthorised party acquired the login information of some of its customers.
According to the Securities and Exchange Commission (SEC) filing, an unauthorised party obtained email and password information from an external source outside the company’s system.
Less than 1% of Bed Bath & Beyond’s online customer accounts were compromised. It should be noted that payment card information was not affected.
It remains unclear as to when the breach occurred, however once discovered the company hired a security forensics firm to investigate, and has “implemented remedial measures.” Additionally, notifications have been sent to “certain customers as required by applicable legal requirements.”
In the filing, the company stated that the breach would not have a “material adverse effect” on its operations, cash flows or “financial condition for any fiscal period”, however, the company’s stock fell 0.2% in after-hours trading.
Colin Bastable, CEO of Lucy Security, told SC Magazine: “The most likely point of entry is through a third-party supplier of services to the company, and the odds are over 90 percent in favor of the attack being initiated by a phishing email, perhaps a spoof email, one that appears to be from someone else.”
“The message for employees is: Don’t use work email addresses on third-party web sites, and learn to spot phishing and spearphishing emails,” Bastable continued.
“For affected BB&B customers, the risk is significant. The bad guys don’t need a password to phish you, just a valid email. How do they know that the next marketing email is really from Bed Bath & Beyond?”