DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Did password re-use contribute to fraudulent use of some Nordstrom customers’ online accounts? (updated)

Posted on September 13, 2011 by Dissent

Nordstrom, the  Seattle-based department store chain, recently notified 17 customers that their online accounts had been accessed, and in some cases, misused. The company says that it is not to blame, however,  for how the cybercriminals obtained the customers’ login email addresses and passwords.

By letter dated September 3, Kim Dawson, Privacy Director for Nordstrom, explained that they had become aware of suspicious activity that resulted in some fraudulent purchases on some customers’ accounts.  An internal investigation revealed no breach of Nordstrom’s database, however.

In their letter, Dawson writes that customers became aware of the misuse of their accounts when they noted orders they had not placed or changes in their billing or shipping addresses.  In some cases fraudulent purchases were made using stolen credit card numbers, but in some cases, the fraudulent purchases were made using the customers’ credit card numbers, which Nordstrom states are not viewable online. Once the unauthorized individual(s) logged in to the customers’ online account, they reportedly would have been able to view name, address (billing and shipping), month and date of birth (but not year), purchase history, and the last four digits of the credit card on file, if any.

So if the intruder(s) could not see full credit card numbers, how were they able to obtain and use the customers’ full credit card numbers? [See update below]

In investigating the incident, Nordstrom learned that most of the affected customers had re-used passwords across web sites and/or had passwords that were not particularly complex. In some cases, customers also had malware on their systems that may have been related to the compromise of their information.

Did re-using passwords come back to haunt these customers? Perhaps so, although it would be nice to know how the full credit card numbers were acquired. Were they acquired from the customers’ own computers via malware, or has some other business that had full card numbers on file suffered a breach that they have either not detected or disclosed? [See update below: the card numbers on file were and could be used but not acquired.]

Update: Nordstrom’s report to the New Hampshire Attorney General’s Office, dated September 1, also mentions that 17 accounts were compromised but provides some additional details, including the fact that the accounts of 74 residents of New Hampshire showed evidence of unauthorized access. The company first became aware of the problem in June. In their letter, Nordstrom reveals some additional details learned from their investigation:

Some [affected] customers also reported receiving prior notification of breaches of their personal information from other entities, including their email addresses.

The letter also provides more detail on a forensic investigation conducted by Stroz Friedberg.

Overall, I’m favorably impressed by the completeness and transparency of Nordstrom’s disclosures to the states and to the consumers. I wish more disclosures were as detailed.

Category: Breach IncidentsBusiness SectorID TheftU.S.Unauthorized Access

Post navigation

← Phishing scam dump and single db dump from @CMDL1NE
Damages From Hannaford Bros. Data Breach Dominate 1st Circuit Debate →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.