Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:05 PM
Connect Directly

Best Buy Suffers Second Email Breach

Epsilon hack victim's customer emails exposed yet again -- via a different vendor

Best Buy, which was among the 100 or so companies hit in the recent Epsilon breach, is responding to a second consecutive breach at the hands of one of its vendors.

The big-box electronics retailer found on April 22 that email addresses of some of its customers had been "accessed without authorization" via one of its vendors, according to a Best Buy spokesman, who declined to name the vendor. Best Buy had already parted ways with that provider prior to the discovery of the breach, he said, due to a "strategic business decision."

Best Buy would not elaborate on how many customer emails were stolen or provide any details about the attack. It's unclear whether the latest breach was in any way connected to the Epsilon incident.

"I don't know that they are related. But it's an interesting coincidence time-wise," says Dave Marcus, director of McAfee Labs security research communications.

This latest breach comes on the heels of Best Buy's customer emails being exposed in the massive Epsilon breach last month. While no credit card accounts, Social Security numbers, or source code were stolen from Epsilon, millions of email addresses and, in some cases, full names of customers of major retailers and financial institutions were. The attack could reverberate for years to come with phishing, spamming, and targeted attacks against individuals and businesses.

"If I [were] a company [affected by these breaches], I would be worried that any of this information was going to be used against my company for spear phishing ... If my executives' information is in there, that's another kind of information a real attacker wants," McAfee's Marcus says.

Among the big names in retail and banking hit in the Epsilon breach besides Best Buy were 1-800-Flowers, AbeBooks (a division of Amazon), American Express, Ameriprise, AstraZeneca, Barclays Bank of Delaware, Capital One, Citi, The College Board, Dillons, Disney Destinations, Food 4 Less, Hilton HHonors, Home Shopping Network, Jay C, JP Morgan Chase, King Soopers, Krogers, Lacoste, LL Bean VISA, Marriott Rewards, McKinsey Quarterly, Ralphs, Red Roof Inn, Ritz-Carlton Rewards, TiVo, US Bank, Verizon, and Walgreens, according to notices from some of these firms and industry sources.

The Best Buy spokesman noted that the second breach was similar to that of Epsilon's. "A similar situation occurred with some of our customers and other companies recently. We regret these situations have taken place and for any inconvenience that may have been caused. While this is a completely new situation and involves a completely separate vendor, our ongoing commitment to customers and the importance of data security to Best Buy has not changed. We continually assess our data privacy standards and look for opportunities to enhance them," he said.

Meanwhile, Best Buy says it remains an Epsilon partner. But the company considers email service provider Exact Target as its primary provider: "Best Buy continues to work with companies such as Exact Target to execute email marketing programs. Exact Target, our primary email service provider, is widely considered an industry leader in email security. They have been instrumental in helping Best Buy manage recent data security issues and is one of the company’s valued marketing partners," the spokesperson said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...