DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Did password re-use contribute to fraudulent use of some Nordstrom customers’ online accounts? (updated)

Posted on September 13, 2011 by Dissent

Nordstrom, the  Seattle-based department store chain, recently notified 17 customers that their online accounts had been accessed, and in some cases, misused. The company says that it is not to blame, however,  for how the cybercriminals obtained the customers’ login email addresses and passwords.

By letter dated September 3, Kim Dawson, Privacy Director for Nordstrom, explained that they had become aware of suspicious activity that resulted in some fraudulent purchases on some customers’ accounts.  An internal investigation revealed no breach of Nordstrom’s database, however.

In their letter, Dawson writes that customers became aware of the misuse of their accounts when they noted orders they had not placed or changes in their billing or shipping addresses.  In some cases fraudulent purchases were made using stolen credit card numbers, but in some cases, the fraudulent purchases were made using the customers’ credit card numbers, which Nordstrom states are not viewable online. Once the unauthorized individual(s) logged in to the customers’ online account, they reportedly would have been able to view name, address (billing and shipping), month and date of birth (but not year), purchase history, and the last four digits of the credit card on file, if any.

So if the intruder(s) could not see full credit card numbers, how were they able to obtain and use the customers’ full credit card numbers? [See update below]

In investigating the incident, Nordstrom learned that most of the affected customers had re-used passwords across web sites and/or had passwords that were not particularly complex. In some cases, customers also had malware on their systems that may have been related to the compromise of their information.

Did re-using passwords come back to haunt these customers? Perhaps so, although it would be nice to know how the full credit card numbers were acquired. Were they acquired from the customers’ own computers via malware, or has some other business that had full card numbers on file suffered a breach that they have either not detected or disclosed? [See update below: the card numbers on file were and could be used but not acquired.]

Update: Nordstrom’s report to the New Hampshire Attorney General’s Office, dated September 1, also mentions that 17 accounts were compromised but provides some additional details, including the fact that the accounts of 74 residents of New Hampshire showed evidence of unauthorized access. The company first became aware of the problem in June. In their letter, Nordstrom reveals some additional details learned from their investigation:

Some [affected] customers also reported receiving prior notification of breaches of their personal information from other entities, including their email addresses.

The letter also provides more detail on a forensic investigation conducted by Stroz Friedberg.

Overall, I’m favorably impressed by the completeness and transparency of Nordstrom’s disclosures to the states and to the consumers. I wish more disclosures were as detailed.

Category: Breach IncidentsBusiness SectorID TheftU.S.Unauthorized Access

Post navigation

← Phishing scam dump and single db dump from @CMDL1NE
Damages From Hannaford Bros. Data Breach Dominate 1st Circuit Debate →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.