Security breach at Nordstrom exposes sensitive employee data
Seattle-based retailer Nordstrom is notifying employees of an information security breach that exposed their names, Social Security numbers, dates of birth, checking account and routing numbers, salaries and more.
Employees across the company received an e-mail notification and apology from co-president Blake Nordstrom on Wednesday informing them of the breach, a company spokesperson confirmed Friday.
Some employees, who may not have regular access to corporate e-mail accounts, were being shown the breach notification by managers when they arrived at work.
The company would not say how many people were affected by the breach; those employees were being sent notification letters.
Nordstrom had about 72,500 full- and part-time employees in 2017, according to its last annual financial report. Its ranks swelled to 76,000 in December as it brought on staff to handle seasonal demand.
Some former employees who left the company months ago have received notification letters, according to social media posts.
No customer data was implicated, according to the Nordstrom spokesperson, who provided a statement that hews closely to the language in the all-employee e-mail, which was reviewed by the Seattle Times.
The company is “investigating an incident where a contract worker improperly handled some Nordstrom employee data,” the statement said.
The company’s information security team discovered the incident, which occurred Oct. 9. The contract worker “no longer has any access to our systems and we’re putting additional measures in place to help prevent this from happening again,” according to the statement. Nordstrom notified law enforcement and began a comprehensive investigation.
“We have no evidence data was shared or used inappropriately,” the company said in a statement. “Out of an abundance of caution, we are notifying our employees so they can take the appropriate steps to monitor for any potential unauthorized activity.”
There was no information posted to the Washington Attorney General’s Data Breach Notifications page about the incident as of early afternoon Friday. State laws require businesses, individuals and public agencies to notify Washington residents who could be harmed by a security breach “in the most expedient time possible” and no more than 45 days after a breach is discovered. The Attorney General’s office must be notified if a breach impacts more than 500 Washington residents.
Nordstrom is offering affected employees 24 months of identity protection services provided by AllClear ID, an Austin, Texas-based company.