The big-box electronics retailer found on April 22 that email addresses of some of its customers had been "accessed without authorization" via one of its vendors, according to a Best Buy spokesman, who declined to name the vendor. Best Buy had already parted ways with that provider prior to the discovery of the breach, he said, due to a "strategic business decision."
Best Buy would not elaborate on how many customer emails were stolen or provide any details about the attack. It's unclear whether the latest breach was in any way connected to the Epsilon incident.
"I don't know that they are related. But it's an interesting coincidence time-wise," says Dave Marcus, director of McAfee Labs security research communications.
This latest breach comes on the heels of Best Buy's customer emails being exposed in the massive Epsilon breach last month. While no credit card accounts, Social Security numbers, or source code were stolen from Epsilon, millions of email addresses and, in some cases, full names of customers of major retailers and financial institutions were. The attack could reverberate for years to come with phishing, spamming, and targeted attacks against individuals and businesses.
"If I [were] a company [affected by these breaches], I would be worried that any of this information was going to be used against my company for spear phishing ... If my executives' information is in there, that's another kind of information a real attacker wants," McAfee's Marcus says.
Among the big names in retail and banking hit in the Epsilon breach besides Best Buy were 1-800-Flowers, AbeBooks (a division of Amazon), American Express, Ameriprise, AstraZeneca, Barclays Bank of Delaware, Capital One, Citi, The College Board, Dillons, Disney Destinations, Food 4 Less, Hilton HHonors, Home Shopping Network, Jay C, JP Morgan Chase, King Soopers, Krogers, Lacoste, LL Bean VISA, Marriott Rewards, McKinsey Quarterly, Ralphs, Red Roof Inn, Ritz-Carlton Rewards, TiVo, US Bank, Verizon, and Walgreens, according to notices from some of these firms and industry sources.
The Best Buy spokesman noted that the second breach was similar to that of Epsilon's. "A similar situation occurred with some of our customers and other companies recently. We regret these situations have taken place and for any inconvenience that may have been caused. While this is a completely new situation and involves a completely separate vendor, our ongoing commitment to customers and the importance of data security to Best Buy has not changed. We continually assess our data privacy standards and look for opportunities to enhance them," he said.
Meanwhile, Best Buy says it remains an Epsilon partner. But the company considers email service provider Exact Target as its primary provider: "Best Buy continues to work with companies such as Exact Target to execute email marketing programs. Exact Target, our primary email service provider, is widely considered an industry leader in email security. They have been instrumental in helping Best Buy manage recent data security issues and is one of the company’s valued marketing partners," the spokesperson said.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.