Bed Bath & Beyond Confirms Data Breach Following Phishing Attack

The US retail store Bed Bath & Beyond has confirmed that it suffered a data breach after an employee was caught out by a phishing scam.

In an SEC filing, the organisation said that it had learned that a cyber criminal had “improperly accessed” company data in the attack.

It’s unclear how exactly the crook tricked the employee, but the retailer said that the attacker was able to access data on a hard drive and some shared drives.

A spokesperson for the company declined to say how much data was stolen or what types of information were compromised. However, in its initial filing, Bed Bath & Beyond was confident that the incident posed a minimal risk.

It said that there was “no reason to believe that any such sensitive or personally identifiable information was accessed or that this event would be likely to have a material impact on the Company”.

Without further details, it’s hard to speculate on the accuracy of this assessment. The organisation hasn’t commented on the existence of technical measures, such as logs, that would enable it to detect data exfiltration.

As such, it’s difficult to determine whether this confidence is merited. However, it’s hard to believe that a cyber criminal who gained as comprehensive access as is being reported wouldn’t have leveraged the breach to steal sensitive data.  

But if Bed Bath & Beyond’s assessment is true, it’s a statement of organisational resilience that will turn a potential PR disaster into a positive.  

How might disaster be averted?

The data breach at Bed Bath & Beyond comes the same week as the release of new phishing guidance from CISA (the Cybersecurity and Infrastructure Agency).

It published two factsheets that are designed to highlight the threat of account compromise and the ways that MFA (multi-factor authentication) can protect organisations.

“CISA strongly urges all organizations to implement phishing-resistant MFA to protect against phishing and other known cyber-threats,” the agency wrote.

Multi-factor authentication is an increasingly popular mechanism for securing accounts. In addition to entering a password, users must provide a second piece of information that confirms that they have legitimate access to the system.

This is typically either ‘something you have’ (such as a code sent to your phone) or ‘something you are’ (such as a fingerprint scan).

By doing this, you mitigate the risk of password compromise. An attacker might have your login details, but they still need additional information to access your account.

MFA isn’t foolproof; there are techniques that criminal hackers can use to obtain the necessary information. Indeed, the first of CISA’s two factsheets describes the ways that threat actors have compromised MFA credentials, including phishing, push bombing and SIM swapping.

Meanwhile, its second fact sheet provides additional information about cyber security threats and the ways that individuals can mitigate the risk. One of the most effective methods is staff awareness training.

Although organisations often mistakenly believe that the key to preventing cyber threats lies in cyber defences, phishing provides a unique problem in that the weakness that attackers are targeting is human error.

They rely on the recipient of a bogus email not spotting the signs of a scam and falling for their trap. To prevent data breaches, organisations must therefore educate employees on the threat and the ways they can stay safe.

You can find all the advice you need to protect your employees with IT Governance’s Phishing Staff Awareness Training Programme.

This online course uses real-world examples to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.

The content is updated quarterly to include recent examples of successful attacks and the latest trends that criminals use.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.