Nordstrom Breach Exposes Data On 76K Employees

Nordstrom has suffered a data breach that exposed employee names, Social Security numbers, dates of birth, checking account and routing numbers, salaries and more.

According to The Seattle Times, a company spokesperson confirmed that employees received an email notification and apology from Co-president Blake Nordstrom last week regarding the breach. Employees who may not have regular access to corporate email accounts were being notified by their managers at work. Social media posts show that some former employees, who left the company months ago, have also received notification letters.

Nordstrom would not say how many people were affected — those employees are being notified by mail. Nordstrom had about 72,500 full- and part-time employees in 2017, and that number grew to 76,000 in December due to the holiday season.

The company spokesperson said customer data was not affected in the breach. Nordstrom is “investigating an incident where a contract worker improperly handled some Nordstrom employee data,” a statement revealed. It went on to explain that the information security team at the company discovered the incident, which took place on Oct. 9, and that the contract worker “no longer has any access to our systems and we’re putting additional measures in place to help prevent this from happening again.” Nordstrom has since notified law enforcement and started an investigation.

“We have no evidence [that] data was shared or used inappropriately,” Nordstrom said. “Out of an abundance of caution, we are notifying our employees so they can take the appropriate steps to monitor for any potential unauthorized activity.”

Nordstrom is offering affected employees 24 months of identity protection services provided by AllClear ID.

The retailer isn’t the first to be hit with a breach. In April, retailer Hudson’s Bay disclosed that customers at Saks and Lord & Taylor stores in North America had their payment cards compromised. In July,  Macy’s revealed that hackers obtained names and passwords of online customers — and might have accessed credit card numbers and expiration dates.