Cyber Incident Victim: Barnes & Noble
Date:
Oct 2020
Location:
United States of America
Summary
A ransomware attack attributed to the Egregor group compromised the corporate network of Barnes & Noble, leading to unauthorized access and service disruptions including NOOK digital content unavailability. The company shut down systems to contain the breach, later confirming exposure of customer email addresses, billing and shipping details, and purchase histories, though no payment information was stored on affected systems. Threat actors claimed theft of financial and audit data, subsequently leaking Windows Registry hives from compromised servers as evidence of their access, though conclusive proof of exfiltrated financial documents remained unverified. The incident prompted an investigation and gradual network restoration guided by cybersecurity consultants.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 10, 2020, Barnes & Noble experienced a cybersecurity incident that disrupted operations and compromised corporate systems. Customers first detected issues when they could no longer access purchased eBooks and magazine subscriptions through the Nook digital platform, leading to complaints on social media channels. The company acknowledged a "severe system failure" that day and initiated network-wide shutdowns to contain the breach. Subsequent investigation revealed unauthorized access by ransomware operators who exfiltrated unencrypted corporate data before encrypting devices. Barnes & Noble formally disclosed the cyberattack days later, confirming threat actors had accessed systems containing customer email addresses, billing/shipping addresses, and purchase histories. The company emphasized no payment card information was exposed due to its practice of not storing financial data. Cybersecurity consultants engaged by Barnes & Noble found no evidence of data exfiltration despite the attackers' claims, prompting the company to characterize its customer notification as precautionary. Service disruptions persisted during the containment phase as systems underwent forensic analysis and gradual restoration under consultant guidance.
The Egregor ransomware group claimed responsibility for the attack through communications with BleepingComputer, identifying themselves as the perpetrators on October 10. Attackers stated they compromised a Windows domain administrator account to steal financial and audit documents before deploying ransomware. Egregor's involvement was partially corroborated when they published exported Windows Registry hives from Barnes & Noble's servers, though these files did not constitute the sensitive financial records they alleged to possess. Forensic timelines indicated one threat actor initially breached the network before granting access to a second operator who executed the encryption phase. Barnes & Noble maintained that network segmentation limited the attack's spread and allowed controlled restoration of services. The incident caused significant operational disruption, particularly to Nook services, while the exposure of personal customer information created potential privacy concerns despite the absence of financial data theft. Company communications emphasized the precautionary nature of their disclosure while acknowledging the attack's material impact on business operations and customer access.