Bed, Bath & Beyond confirms data breach following employee phishing attack

U.S. retail giant Bed, Bath & Beyond has confirmed unauthorized access to company data after an employee was phished.

In an 8-K filing to the U.S. Securities and Exchange Commission, the home goods retailer said it became aware that an attacker had “improperly accessed” company data after a successful phishing scam targeting an employee in October. This gave the hacker access to data on the employee’s hard drive and other shared drives to which the employee had access.

The company said in the filing that it has “no reason to believe” that sensitive or personally identifiable information was accessed or that this cybersecurity incident would have a material impact on the company, but did not provide evidence for this claim, and admitted that its investigation was ongoing.

When reached by TechCrunch, Bed, Bath & Beyond chief legal officer Arlene Hong, via a spokesperson who would not provide their name, declined to say how much data was stolen or what types of data the attacker was able to access. It also remains unclear whether the company has the technical means, such as logs, to detect evidence of exfiltration.

Bed, Bath & Beyond also declined to provide any further information about the phishing incident or the cybersecurity protections it has in place to protect against such incidents.

This isn’t the first time the U.S. retail giant experienced a data breach. Bed, Bath & Beyond said in October 2019 that less than 1% of online customer accounts were compromised and no customers’ payment cards were impacted.