Cyber Incident Victim: Bed Bath & Beyond

In October 2022, Bed Bath & Beyond disclosed a data breach stemming from a phishing attack targeting a company employee. The incident came to light through an SEC filing dated October 29, 2022, where the retailer confirmed unauthorized access to corporate systems after the employee fell victim to a "phishing scam" earlier that month. Attackers leveraged this initial compromise to access data stored on the employee's hard drive and certain shared drives within the organization's network. At the time of disclosure, Bed Bath & Beyond's ongoing investigation had not identified evidence that the compromised drives contained sensitive or personally identifiable information (PII). The company explicitly stated it had "no reason to believe" such data was accessed during the breach and assessed the event as unlikely to materially impact operations or finances.

This marked the second publicly disclosed cybersecurity incident for Bed Bath & Beyond within three years. In 2019, the company reported unauthorized access to customer accounts resulting from credential stuffing attacks, where threat actors used username and password combinations obtained from unrelated third-party breaches. The 2022 phishing incident remained under investigation with limited technical details released, though the company emphasized containment measures and reiterated its preliminary conclusion regarding the absence of sensitive data exposure. The SEC filing concurrently announced a separate corporate action unrelated to the breach: an offer to sell up to $150 million worth of stock. No further updates regarding regulatory notifications, forensic findings, or customer communications were detailed in the source material.