Report: Internal data breach hits Ikea Canada
Personal information of some Ikea Canada customers was reportedly exposed in a March 2022 incident involving an employee.
According to Global News, an Ikea Canada spokesperson confirmed that personal information of about 95,000 customers appeared in a generic search one of its employees conducted in the Ikea Canada customer database between March 1-3, 2022.
Ikea Canada told Global News that no consumer financial or banking data was included in the search results. The retailer said it acted quickly to prevent any exposed information from being made accessible in any way to any outside parties.
Customers whose information may have been exposed were notified by email the week of April 25. Ikea Canada has also notified the Office of the Privacy Commissioner of Canada (OPC) about the data breach. The OPC is communicating with the retailer to obtain more information and determine next steps in response to the incident.
“While we can’t speculate as to why the search was made, we can share that we have taken actions to remedy this situation,” an Ikea Canada public relations official told Global News. “We have also reviewed our internal processes and reminded our co-workers of their obligation to protect customer information.”
In November 2021, the U.S. division of Ikea, a global retailer headquartered in Sweden, reportedly underwent a hacking attempt on its email system that involved duping employees with fraudulent messages. Ikea sent out internal emails warning employees that the company was experiencing a “reply-chain phishing” attack on its email system.
This cyberattack technique involves unauthorized intruders intercepting legitimate emails from corporate addresses and then responding to them from other compromised corporate email accounts and/or servers with links to malware. Ikea reportedly treated the attack as a “significant” breach which could potentially lead to future hacking efforts.
“Privacy is a difficult challenge for any organization, especially when it comes to internal employees who often need some of this information to perform their legitimate tasks,” Erich Kron, security awareness advocate at security solutions provider KnowBe4, said in a commentary provided to Chain Store Age about the Ikea Canada breach. “In this case, it appears the data was not stolen by cybercriminals, but accessed by an internal source. Ikea quickly assembled the facts, assessed the issue and took measures to ensure the data remained contained within the organization’s control.
“To their credit, Ikea did spot the kind of data access that many organizations would not have noticed, and by furnishing the information to the Office of the Privacy Commissioner of Canada, allowed potential victims to take steps needed to protect themselves,” said Kron. “Like with their store layouts, spotting when and where data may have been accessed, especially by an internal employee, can lead down an ever-twisting path full of false flags and pointless distractions, often resulting in nothing useful being found.
Organizations should be careful to periodically confirm the type of data employees can access and should limit it to the least amount needed to perform their job,” Kron concluded. “In addition, penetration tests should be performed to look for vulnerabilities within the network and Data Loss Prevention (DLP) controls enabled to reduce the chance of sensitive data being removed from the network.”