Nordstrom Breach Exposes Employee Information

Here we go again. Another retailer, another cyber-attack linked to a third party vendor. But this time, the focus wasn’t on stealing customer information, but rather employee data. Luxury retail chain Nordstrom has announced that its employees’ information may have been compromised in a data breach and may include employees’ Social Security numbers, dates of birth, checking account numbers, routing numbers, and other personally identifiable information (PII). Bad actors know that breaking into a smaller vendor, one without adequate security budgets, opens the door to stealing valuable data from large enterprises.

In an official statement, Nordstrom identified the source of the breach to be a contract worker who improperly handled the employee data. While it is still unclear whether the information was shared or used maliciously, the company made clear that the contract worker “no longer has any access to our systems and we’re putting additional measures in place to help prevent this from happening again.” Nordstrom has yet to disclose the number of employees affected by the breach.

While Nordstrom’s breach is somewhat unique in that it was employee information rather than customer information that was exposed, it is another in a growing line of data breaches caused by third party vendors. These third party breaches have affected companies such as Target and Expedia and have prompted discussions about different approaches towards third party risk management.

Although there is some disagreement in the field of third party risk management about the efficacy versus burden of different risk mitigation methods like assessment surveys, continuous monitoring, and onsite inspections, the reality is that each of these is a single tool available for risk management teams, and each serves a specific purpose in the context of the relationship between vendor and customer.

In the case of the Nordstrom breach, the involvement of a third party contractor highlights the need for a multifaceted third party risk program. Assessment surveys and a thorough onboarding process can help firms mitigate the risk from human threats, while continuous monitoring can preempt and lessen cyber threats.

Prevalent brings its partners the full toolkit for preventing and managing third party risk. Forrester recently named Prevalent a Leader in The Forrester New Wave™: Cybersecurity Risk Rating Solutions and noted that “Prevalent is best for companies that want one TPRM tool with integrated cyber-risk ratings. Given its robust risk intelligence and comprehensive risk management features, Prevalent is a worthy option for Security and Risk professionals seeking one tool for all cyber TPRM activities.”

As the industry’s only purpose-built, unified platform that integrates a powerful combination of automated assessments, continuous monitoring, and evidence sharing for collaboration between enterprises and vendors, Prevalent provides the best solution for a highly-functioning, effective third-party risk program.

Daryan Ver Ploeg is an Open Source Intelligence Analyst with Prevalent’s Vendor Threat Monitor team based out of Washington, DC. He is a graduate of the University of Maryland, College Park with a Bachelor of Arts in Government and Politics.