Ikea Canada tight-lipped on details of breach of security controls

Share post:

Ikea Canada isn’t saying exactly how it discovered an employee had searched a customer database without permission, or whether their searches were saved in an unsecured file. Reports of the breach of security controls emerged last week when Global News said a customer of the furniture retailer said he had been notified of a data incident. Ikea Canada said 95,000 customers are being notified. On Monday, Ikea Canada public relations leader Kristin Newbigging told ITWorldCanada that the company was made aware that some of customers’ personal information appeared in the results of a generic search made by a co-worker between March 1st and March 3rd. Asked by email specifically how the company found out, whether the employee saved searches, and if so, was the information not secured by a password and open on the internet, Newbigging would only say that the incident was discovered during an investigation. “We have taken actions to remedy this situation, including steps to prevent the data from being used, stored, or shared with any third parties,” she wrote. “We can confirm that no financial or banking information was accessed,” she also said. “No action is required by our customers. “We have proactively notified the Office of the Privacy Commissioner of Canada about this incident, as well as any applicable customers. We have also reviewed and updated internal processes to prevent such incidents in the future.”

Related content: How to lower the risk of insider threats

To Ikea Canada’s credit, said Erich Kron, security awareness advocate at KnowBe4, it spotted the kind of data access that many organizations would not have noticed, and by furnishing the information to the Office of the Privacy Commissioner of Canada, allowed potential victims to take steps needed to protect themselves. “Like with their store layouts, spotting when and where data may have been accessed, especially by an internal employee, can lead down an ever-twisting path full of false flags and pointless distractions, often resulting in nothing useful being found.

“Organizations should be careful to periodically confirm the type of data employees can access and should limit it to the least amount needed to perform their job. In addition, penetration tests should be performed to look for vulnerabilities within the network and Data Loss Prevention (DLP) controls enabled to reduce the chance of sensitive data being removed from the network.”

Related content: How a Canadian hospital faces insider threats

The incident accentuates the threat posed by the “inside job,” said Erfan Shadabi, cybersecurity expert with data security specialists comforte AG. “When we hear of careless handling of sensitive information, we begin to wonder just how secure our own data is within the many different data ecosystems housing and processing it. Employees are usually granted a certain level of trust with enterprise data, even if they don’t have access and rights to all information within the organization. Working from the inside with an implied level of trust means that the inside job has more time to develop and execute an effective exfiltration strategy.

“The answer to counter this threat,” he said, “is to recognize how vulnerable businesses are from the inside and to adopt security stances like Zero Trust, which denies implicit trust to users, devices, and other entities regardless of their location within the network.

“Also, protect all sensitive enterprise data with more than just perimeter security, even if you feel that the impenetrable vault you’ve stored it all in is foolproof. Make sure that data-centric protection such as tokenization or format-preserving encryption effectively obfuscate sensitive information in case internal or external threat actors find their way into your data ecosystem.”

The post Ikea Canada tight-lipped on details of breach of security controls first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways