Did password re-use contribute to fraudulent use of some Nordstrom customers’ online accounts? (updated)
Nordstrom, the Seattle-based department store chain, recently notified 17 customers that their online accounts had been accessed, and in some cases, misused. The company says that it is not to blame, however, for how the cybercriminals obtained the customers’ login email addresses and passwords.
By letter dated September 3, Kim Dawson, Privacy Director for Nordstrom, explained that they had become aware of suspicious activity that resulted in some fraudulent purchases on some customers’ accounts. An internal investigation revealed no breach of Nordstrom’s database, however.
In their letter, Dawson writes that customers became aware of the misuse of their accounts when they noted orders they had not placed or changes in their billing or shipping addresses. In some cases fraudulent purchases were made using stolen credit card numbers, but in some cases, the fraudulent purchases were made using the customers’ credit card numbers, which Nordstrom states are not viewable online. Once the unauthorized individual(s) logged in to the customers’ online account, they reportedly would have been able to view name, address (billing and shipping), month and date of birth (but not year), purchase history, and the last four digits of the credit card on file, if any.
So if the intruder(s) could not see full credit card numbers, how were they able to obtain and use the customers’ full credit card numbers? [See update below]
In investigating the incident, Nordstrom learned that most of the affected customers had re-used passwords across web sites and/or had passwords that were not particularly complex. In some cases, customers also had malware on their systems that may have been related to the compromise of their information.
Did re-using passwords come back to haunt these customers? Perhaps so,
although it would be nice to know how the full credit card numbers were acquired. Were they acquired from the customers’ own computers via malware, or has some other business that had full card numbers on file suffered a breach that they have either not detected or disclosed? [See update below: the card numbers on file were and could be used but not acquired.]
Update: Nordstrom’s report to the New Hampshire Attorney General’s Office, dated September 1, also mentions that 17 accounts were compromised but provides some additional details, including the fact that the accounts of 74 residents of New Hampshire showed evidence of unauthorized access. The company first became aware of the problem in June. In their letter, Nordstrom reveals some additional details learned from their investigation:
Some [affected] customers also reported receiving prior notification of breaches of their personal information from other entities, including their email addresses.
The letter also provides more detail on a forensic investigation conducted by Stroz Friedberg.
Overall, I’m favorably impressed by the completeness and transparency of Nordstrom’s disclosures to the states and to the consumers. I wish more disclosures were as detailed.