Only a month after Best Buy's customers were affected by a security breach at an outside e-mail company, the Richfield electronics retailer has disclosed another batch of customer e-mail addresses may have been stolen from a former partner company.
Best Buy Co. Inc. confirmed that it is notifying affected customers by e-mail of the new security breach at an unidentified "former business partner." Best Buy said it believes the breach is limited to the potential theft of e-mail addresses.
Even so, that's a significant threat to consumers, said Rob Juncker, vice president of technology at New Brighton security firm Shavlik Technologies.
"An e-mail address is as good a way to identify someone as having a phone number," Juncker said. "Stealing an e-mail address enables an attack on someone, or an impersonation of someone that's believable."
Best Buy declined to say how many e-mail addresses were potentially stolen, or how the breach was discovered.
The company discovered April 22 that the e-mail addresses of some customers "were accessed without authorization," spokeswoman Sue Busch Nehring said. "We are pursuing appropriate legal actions as a result of this breach, so I cannot provide additional information. Best Buy ended its relationship with the involved third-party vendor prior to this situation as part of a strategic business decision unrelated to data security."
In an e-mail to consumers, Best Buy offered this warning: "Remember: Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com, or call us directly to place an order. If you receive an e-mail asking for personal information, delete it. It did not come from Best Buy."
Best Buy also declined to say whether the "former business partner" was an e-mail outsourcing firm like Texas-based Epsilon, which in early April reported a security breach involving customer e-mails of Best Buy, U.S. Bancorp and several other big names.
But Best Buy seemed to suggest in the consumer e-mail that its "former business partner" handled e-mail for other firms, too. "We do not believe that Best Buy was specifically targeted in this breach," Best Buy said in the e-mail.
Best Buy said that, at present, its main e-mail outsourcing partner is ExactTarget of Indianapolis.
The Best Buy breach underscores the problem corporations face in an era when corporate outsourcing of e-mail marketing is commonplace, Juncker said.
"If you put your information on someone else's computer system, it's your responsibility to make sure steps are taken to protect it," Juncker said. "Hackers have realized that these third-party companies are easier to attack than big enterprises, either because they've got poorly protected Web pages or they haven't kept up with the latest security software."
Juncker recommended corporations and their outsourcing providers use encryption to protect personally identifiable information such as Social Security numbers and e-mail addresses. Once information is encrypted, it is scrambled and unreadable to anyone who lacks the "encryption key," he said.
Marketing firms traditionally haven't used much encryption because it makes data slower to retrieve and harder to manipulate, he said.
"Encrypting everything is wasteful, particularly in marketing, where you refer to the data a lot," Juncker said. "But things that are personal should always be encrypted, and e-mail is very personal."
Steve Alexander • 612-673-4553