Bed, Bath and Beyond confirms another major data breach

Data Breach
(Image credit: Shutterstock)

American retail giant Bed, Bath & Beyond has suffered a data breach, the company has confirmed in an 8-K filing to the U.S. Securities and Exchange Commission (SEC), albeit with somewhat conflicting statements.

In its filing, the company said that it discovered a successful phishing attack against one of its employees. The unknown threat actor managed to access a hard drive, as well as some shared drives, to which the affected employee had access. 

But here is where it gets conflicting: In the same paragraph, the company says it’s analyzing the stolen data to see if there were any sensitive or personally identifiable information in the stolen batch, and that it has “no reason to believe” such data was accessed.

Details are scarce

In fact, even though the investigation is ongoing, Bed, Bath & Beyond says it has no reason to believe this event “would be likely to have a material impact” on the company. 

Other than this statement, the company provided no additional details. The media reached out to find out the amount and type of stolen data, to no avail. Furthermore, the company declined to comment if it has the technical means to even detect evidence of exfiltration, TechCrunch reported. 

This is not the first time the company has suffered a data breach. In fact, almost exactly three years ago (on October 29, 2019), the company also disclosed a data breach via an 8-K filing with the SEC.

Back then, it said it discovered a third party acquiring email and password information from a source “outside of the company’s systems”, which was subsequently used to access less than 1% of the company’s online customer accounts. While they did access sensitive information, the attackers did not get customer payment card information, it was confirmed. As a result, Bed, Bath & Beyond did not expect the data breach to result in any significant damages. 

Via: TechCrunch

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.