Barnes & Noble confirms cyberattack, ransomware group leaks allegedly stolen data

Updated: The bookseller’s security incident also impacted Nook services.

Cybersecurity: Even the professionals spill their data secrets

Update 20.10 13.34pm BST: Data appears to have been leaked by a ransomware group. Details below.

Barnes & Noble has confirmed a cyberattack impacting Nook services and potentially exposing customer data. 

The US bookseller stocks over one million titles at any one time for distribution worldwide. As ebooks emerged as an alternative to traditional literature, in 2009, the company launched the Nook service, an ebook reader and storage platform. 

Over the weekend, as reported by Bleeping Computer, Barnes & Noble customers complained across social media of outages. Some customers were unable to access their Nook libraries, their previous purchases had vanished into thin air, others were not able to log in to the firm's online platform, and connectivity issues between sending or loading new books ran rampant. 

See also: Today's 'mega' data breaches now cost companies $392 million to recover from

As noted by The Register, the outage also spread to physical outlets, where it appeared that some cash registers were also "briefly" unable to function. 

This prompted speculation that the disruption could be due to a malware infection, as when Point-of-Sale (PoS) systems become involved, the issue may not merely be due to a backend or server glitch. 

The bookseller partially restored its systems by Tuesday, but it was not until Wednesday that Nook publicly acknowledged customer access and Nook service issues.  

Nook said at the time that a "system failure" was at fault and engineers were working hard to "get all Nook services back to full operation."

"Unfortunately, it has taken longer than anticipated," Nook continued. "We sincerely apologize for this inconvenience and frustration."

Now, Barnes & Noble has confirmed to customers that cyberattackers caused the service disruption. 

In an email, the bookseller said that on October 10, Barnes & Noble was the victim of intrusion, leading to "unauthorized and unlawful access to certain Barnes & Noble corporate systems."

Customer email addresses, billing and shipping addresses, telephone numbers, and transaction histories may have been exposed during the breach.

CNET: Microsoft takes down hacking network with potential to disrupt election

"We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility," the company added. 

However, the bookseller emphasizes that no financial data, "encrypted and tokenized" as a security measure, was taken or available to the threat actors.

The firm has not disclosed how many customers may be impacted by the suspected data breach. Barnes & Noble warns that as email addresses have been leaked, they may be used in phishing campaigns.

TechRepublic: IoT security: University creates new labels for devices to increase awareness for consumers

While the details of the cyberattack are yet to be made public, it is possible that ransomware could be at the heart of the incident. Bad Packets told BleepingComputer that the bookseller's VPN servers were previously vulnerable to CVE-2019-11510, an arbitrary read vulnerability.

Security flaws like this can be used to compromise corporate networks and deploy payloads, including ransomware. In recent months, AG and the Duesseldorf University Hospital have experienced severe ransomware attacks. 

Update: A ransomware group going by the name of Egregor has leaked data it claims belongs to Barnes & Noble customers. In a dump posted on Egregor's Dark Web domain, the group says the dump is a "small proof pack" of the data the threat actors have stolen. 

The leak of some stolen records, or portions of data, can be a way for cybercriminals to put pressure on victim companies to pay up when a ransomware incident or data theft occurs. Egregor has threatened to release the "personal data" of customers unless Barnes & Noble contacts the group.

screenshot-2020-10-20-at-13-37-19.png

Catalin Cimpanu | ZDNet

The ransomware group, as previously reported by ZDNet, published data in October which is claimed to belong to Ubisoft and Crytek, two large game organizations. 

ZDNet has reached out to Barnes & Noble and will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0