Ikea Canada isn’t saying exactly how it discovered an employee had searched a customer database without permission, or whether their searches were saved in an unsecured file.
Reports of the breach of security controls emerged last week when Global News said a customer of the furniture retailer said he had been notified of a data incident. Ikea Canada said 95,000 customers are being notified.
On Monday, Ikea Canada public relations leader Kristin Newbigging told ITWorldCanada that the company was made aware that some of customers’ personal information appeared in the results of a generic search made by a co-worker between March 1st and March 3rd.
Asked by email specifically how the company found out, whether the employee saved searches, and if so, was the information not secured by a password and open on the internet, Newbigging would only say that the incident was discovered during an investigation. “We have taken actions to remedy this situation, including steps to prevent the data from being used, stored, or shared with any third parties,” she wrote.
“We can confirm that no financial or banking information was accessed,” she also said. “No action is required by our customers.
“We have proactively notified the Office of the Privacy Commissioner of Canada about this incident, as well as any applicable customers. We have also reviewed and updated internal processes to prevent such incidents in the future.”
To Ikea Canada’s credit, said Erich Kron, security awareness advocate at KnowBe4, it spotted the kind of data access that many organizations would not have noticed, and by furnishing the information to the Office of the Privacy Commissioner of Canada, allowed potential victims to take steps needed to protect themselves. “Like with their store layouts, spotting when and where data may have been accessed, especially by an internal employee, can lead down an ever-twisting path full of false flags and pointless distractions, often resulting in nothing useful being found.
“Organizations should be careful to periodically confirm the type of data employees can access and should limit it to the least amount needed to perform their job. In addition, penetration tests should be performed to look for vulnerabilities within the network and Data Loss Prevention (DLP) controls enabled to reduce the chance of sensitive data being removed from the network.”
The incident accentuates the threat posed by the “inside job,” said Erfan Shadabi, cybersecurity expert with data security specialists comforte AG. “When we hear of careless handling of sensitive information, we begin to wonder just how secure our own data is within the many different data ecosystems housing and processing it. Employees are usually granted a certain level of trust with enterprise data, even if they don’t have access and rights to all information within the organization. Working from the inside with an implied level of trust means that the inside job has more time to develop and execute an effective exfiltration strategy.
“The answer to counter this threat,” he said, “is to recognize how vulnerable businesses are from the inside and to adopt security stances like Zero Trust, which denies implicit trust to users, devices, and other entities regardless of their location within the network.
“Also, protect all sensitive enterprise data with more than just perimeter security, even if you feel that the impenetrable vault you’ve stored it all in is foolproof. Make sure that data-centric protection such as tokenization or format-preserving encryption effectively obfuscate sensitive information in case internal or external threat actors find their way into your data ecosystem.”