News Insights: Security breach at Nordstrom exposed sensitive employee data

News Insights: Terry Ray, CTO at Imperva:

Mismanaging data is rarely an event that warrants a pat on the back or even a golf clap, but those were my initial feelings after reading about Nordstrom’s data exposure.  Sure, it’s bad that such an incident happened, but let’s consider what happened afterward.

Employee data was collected and given to a third party, most likely to manage direct deposits of wages; certainly not unusual in business, and a necessary reason to gather such data. That third party contract worker inadvertently exposed data.

Here’s where the positive activity starts. Nordstrom’s own security team became aware of the exposure in a reasonable time. Many breaches and exposures aren’t identified for months or years and, often times not disclosed in a reasonable amount of time. Additionally, most breaches are identified by external researcher or law enforcement before the company, however, this is not the case with Nordstrom.

Nordstrom knows what was exposed – employee data (names, addresses, banking details – Not customers). In more than half of breaches and exposures companies do not know what data was exposed or stolen. Nordstrom then took immediate steps to remediate, removing the contract worker and putting additional controls put in place. Then despite the fact that there is no evidence data was actually stolen, the company then proactively notified all employees of the incident. Taking that a step further, Nordstrom offered affected employees two years of identity theft protection, which companies often only offer post breach, for exposure.

All in all, Nordstrom appears to be handling this exposure very responsibly. Kudos to them.