Ikea Canada doesn’t say exactly how it discovered an employee had searched a customer database without permission, or whether their searches were saved to an unsecured file.
Reports of the breach of security controls emerged last week when Global News said a customer at the furniture retailer said they had been notified of a data incident. Ikea Canada said 95,000 customers are notified.
On Monday, Ikea Canada public relations manager Kristin Newbigging said ITWorldCanada that the company was made aware that certain personal customer information appeared in the results of a generic search performed by a colleague between March 1 and March 3.
When asked by email how the company found out, whether the employee had saved any searches, and if so, whether the information was not password-secured and open to the internet, Newbigging simply replied that the incident had been discovered during an investigation. “We have taken steps to remedy this situation, including steps to prevent the data from being used, stored or shared with third parties,” she wrote.
“We can confirm that no financial or banking information was accessed,” she also said. “No action is required from our customers.
“We have proactively informed the Office of the Privacy Commissioner of Canada of this incident, as well as all affected customers. We have also reviewed and updated internal processes to prevent such incidents in the future.
Related Content: How to Reduce the Risk of Insider Threats
To Ikea Canada’s credit, said Erich Kron, security awareness advocate at KnowBe4, he spotted the kind of data access that many organizations wouldn’t have noticed, and by providing the information at the Office of the Privacy Commissioner of Canada, has enabled potential victims to take the necessary steps to protect themselves. “As with the layout of their stores, tracking when and where data may have been accessed, especially by an internal employee, can lead down an ever-meandering path full of false flags and unnecessary distractions, often resulting in the discovery nothing useful.
“Organizations should ensure that they periodically confirm the type of data that employees can access and should limit it to the minimum necessary to perform their jobs. In addition, penetration tests should be performed to look for vulnerabilities within the network and controls Data Loss Prevention (DLP) enabled to reduce the risk of sensitive data being deleted from the network.
Related Content: How a Canadian Hospital Responds to Insider Threats
The incident heightens the threat posed by “inside work”, said Erfan Shadabi, cybersecurity expert at data security specialist Comforte AG. “When we hear of careless handling of sensitive information, we begin to wonder how secure our own data is within the many different data ecosystems that house and process it. Employees are typically granted a some level of trust with corporate data, even if they don’t have access to all the information within the organization Working from the inside with an implicit level of trust means that internal work has more time to develop and execute an effective exfiltration strategy.
“The answer to countering this threat,” he said, “is to recognize how vulnerable companies are from within and adopt security postures such as Zero Trust, which denies implicit trust to users, devices and other entities, regardless of their location within the network.
“Also protect all sensitive company data with more than just perimeter security, even if you think the impenetrable vault you’ve stored everything in is foolproof. Ensure that data-centric protection, such as tokenization or format-preserving encryption, effectively hides sensitive information in case internal or external threat actors find their way into your data ecosystem.