A data breach involving luxury retailer Nordstrom has potentially exposed the personal information of thousands of its employees.
The Seattle-based company said the compromised data included employee names, Social Security numbers, dates of birth, checking account and routing numbers, salaries, and more.
According to reports, employees received an email notification this week informing them of the breach, while others were notified in-person by their store managers.
In a statement, Nordstrom said its security team discovered the incident on Oct. 9, which was the result of a contract worker who improperly handled the employee information.
The worker in question “no longer has any access to our systems and we’re putting additional measures in place to help prevent this from happening again,” said the company in a statement.
The company added that, as of now, it has no indication that the compromised information has been shared or used inappropriately.
Nordstrom did not disclose how many of its employees were impacted by the breach, which are being notified by mail.
According to its last annual financial report, the department store had approximately 72,500 full- and part-time employees in 2017. That number grew to 76,000 in December as it prepared for the holiday season.
Meanwhile, The Seattle Times reported that some former employees who left the company months ago also received notification letters.
“Out of an abundance of caution, we are notifying our employees so they can take the appropriate steps to monitor for any potential unauthorized activity,” explained Nordstrom in a statement.
Tim Erlin, VP of Product Management and Strategy at Tripwire, notes that “while we tend to see more headlines about customer data, compromises of employee data are also significant, especially to large employers who have thousands of employees.”
“Think about the personal data that your employer has about you. There’s enough data in there to carry out a variety of criminal activities, including identity theft and insurance fraud,” said Erlin.
“Risk assessments and threat modeling need to account for all the sensitive data within the organization, including employee data,” adds Erlin.