The American chain of domestic merchandise retail stores, Bed Bath & Beyond Inc (BBBY.O), recently suffered a cyberattack by an unknown threat actor. As per reports, the perpetrator allegedly scanned the hard drives on the employee system and shared the data outside the organization. The company confirmed that its data was accessed by a third-party member via a phishing scam.
According to sources, the company is currently reviewing the compromised data and investigating the accessed material to see if the disks had any private or sensitive data. Since the attack was reported a few weeks ago, the data stolen could have been transported to the threat actor’s HQ.
Bed Bath & Beyond data breach
The home goods store stated that this cybersecurity incident is unlikely to affect the business and that there is no reason to think that any sensitive or personally identifiable information was accessed.
According to several publications, Bed Bath & Beyond reportedly asserted that a third party had knowledge of all the company’s actions for a month. Using a phishing scam, they were able to obtain the data through an employee’s hard drive. After the company filed to offer $150 million of common stock, shares of the once-heralded “category killer” in home and bath products fell around 5% in premarket trade.
According to the corporation, it is currently reviewing the data to see if any sensitive information could have helped the hacker target the business in any manner conceivable. The company’s executives claimed there was no reason to think the hacker had access to any private data. However, the business could face several challenges if the hacker gains access to the personal data of its customers.
In October 2019, Bed Bath & Beyond faced a similar attack where an unauthorized party accessed the emails and passwords of the employees. Following the attack, the company claimed that the attack compromised less than one percent of the online accounts, and no payment information was leaked. However, in both the incidents, the exact date of the breach was not disclosed, but both occurred in October with a 4-year-gap.