The Story of the Best Buy Data Breach
Table of Contents
- By David Lukic
- Sep 29, 2020
Along with Sears, Kmart, and Delta, Best Buy was also impacted by a massive cyber intrusion. Best Buy, like many other retail companies, uses chat services to interact with customers. They outsource their chat services to a company called 7.ai. That third-party vendor experienced a cyber-attack, which allowed hackers to gain access to Best Buy customer payment information. Although Best Buy insists that very few customers were affected, everyone who is a Best Buy customer should take notice. Executives responded to the Best Buy data breach by saying,
“As best we can tell, only a small fraction of our overall online customer population could have been caught up in this 7.ai incident, whether or not they used the chat function.”
Upon learning of the breach, Best Buy contacted law enforcement and worked with the vendor and cybersecurity experts to glean the extent of the damage. The tech retailer also promised free credit monitoring to anyone affected by the breach.
When Was the Best Buy Data Breach?
The Best Buy data breach took place between September 27 and October 12 of 2017. While Best Buy didn’t announce the hacker’s strategy, Delta created a page on its website addressing the event.
The airline reported that hackers installed a piece of malware into the chat software used by various retail outfits. The code was designed to steal credit cards and other personal information. News of the incident did not break until April of 2018.
This announcement came more than half a year after the breach occurred, which gave malicious actors more than enough time to use the stolen information. However, it’s hard to blame the slow response on the companies, as 7 didn’t notify them until late March.
How to Check if You’re a Victim of the Best Buy Breach
After the incident, Best Buy worked to determine which customers were affected by the data breach. They then alerted them through the mail with explicit instructions on how to respond.
Although no firm figure was ever released on how many customers were affected from Best Buy leak, you should assume you were and take action. Even users who never directly interacted with the 7 chat software could be in danger since the malware attacked the sites themselves.
What Kind of Information does Best Buy Collect?
Best Buy has a page on their website, which clearly explains what types of information they collect on customers, how it is used, and who they share it with.
Depending on how you interact with Best Buy, the information it has can include any of the following:
- Full Name
- Current and Past Addresses
- Email Address
- Phone Number
- Card/Banking Information
- My Best Buy® member ID
If you’ve applied for credit opportunities, filled out surveys, or used the mobile application, then Best Buy may also have your:
- Driver’s License Information
- Social Security Number
- Location Data
- Demographic, Income, and Lifestyle Information
- Insurance Information
- Facial or Wrist Geometry
- Survey Responses
Apart from the personally identifying information you provide the site, Best Buy collects what it calls “observed behavior.” This type of data includes footage from security cameras, tracking visitor cookies, and even what type of device you shop on (i.e., computers, tablets, phones, etc.)
The linked privacy webpage explains how Best Buy only uses your information to deliver a “great experience” with them. Best Buy uses the information to build marketing profiles and only show customers products they’re interested in.
This strategy isn’t anything new, individual profiles have been the backbone of marketing for over a decade. However, this information can also inform hackers and fraudsters about the best way to approach their targets. If you’ve potentially been a victim of the Best Buy data breach, beware any technology or hardware related marketing from unconfirmed sources.
Best Buy Account Hacked? Here's What to Do
If you paid for anything at Best Buy or had a Best Buy credit card, there is a good chance that information ended up in the hands of the hackers.
Additionally, they posted this notice on their website regarding the 7.ai incident to help customers understand the dangers and what to do. Some tips for dealing with this type of data breach are:
- Cancel any credit cards used with Best Buy and change the PIN codes.
- Reset your password for BestBuy.com and other accounts using the same password.
- Carefully monitor your Best Buy credit card statements and bank accounts for any fraudulent charges.
- Get a copy of your credit report and consider a credit freeze to keep criminals from opening new accounts in your name.
- Sign up for credit monitoring with a company like IDStrong.com.
Will the Best Buy Data Breach Cause Identity Theft?
Even the basic information stolen by the group responsible for the Best Buy data breach is enough for identity theft and jumpstart phishing campaigns or scams that trick you into divulging the additional information necessary to steal your identity.
Best Buy’s announcement stated that hackers hadn’t acquired any username/password combinations from the site. Hackers likely tried to “brute force” their way into accounts based on the collected information.
As many people use personal details in their login credentials, information like birthdays and addresses are valuable to malicious actors. Collections of data like this are taken every day and sold on the dark web for this very purpose.
Other Cases of Best Buy Data Use
Did you know that Best Buy has a history of sharing information with the FBI?
Similarly to the Apple Genius Bar, the Geek Squad is a repair and troubleshooting service offered by Best Buy. Sometimes, fixes take multiple days, and devices are left with them. This seems safe enough, but there have been numerous cases of Geek Squad employees working as informants for the FBI.
Geek Squad members are looking for indecent and pornographic material stored on the devices people bring in. This includes aiding cases like the prosecution of Mark Rettenmaier, a California doctor who was found with child pornography when he sent his laptop in for repairs.
While most people don’t have to worry about going through the same thing, there is reasonable concern over the warrantless searches of customers’ computers. The Electronic Frontier Foundation (EFF) filed a Freedom of Information Act lawsuit against the FBI.
The lawsuit released records that shed more light on the FBI’s relationship with Geek Squad employees. Interactions date back to 2008 during a meeting the FBI held at one of Best Buy’s repair facilities in Kentucky.
Concerns primarily revolved around how Best Buy employees knew which devices to search for indecent material. Were they rummaging through every computer or only searching specific devices? The EFF argues that these searches are a dishonest strategy for getting around the Fourth Amendment (unreasonable search and seizure.)
However, Best Buy claims employees are prohibited from searching devices for anything unrelated to the customer’s problem. Any illegal material found is reported due to a “moral and, in more than 20 states, a legal obligation.”
What to Do to Protect Yourself Against Hackers and Thieves
In this very digital age, it is almost impossible to believe that you can keep your information private and your data safe. However, there are precautions you can take and techniques you can use to keep things secure.
Update Your Antivirus
Cybercriminals are constantly evolving and finding new ways to exploit your system. Despite the industry’s best efforts to develop fixes in response, these only work if you keep your antivirus up to date.
Millions of users don’t update their phone’s operating system because they believe the update is minuscule or unnecessary. These updates often protect your web browsers and applications against new cybercrime strategies.
Monitor Financial Statements
Financial fraud can be hard to catch right away. In 2019, the American Bankers Association reported over $25 billion in losses due to banking fraud the previous year.
While checking your bank account every hour is unreasonable, regularly updating yourself gives you a much better chance of noticing fraudulent activity. It’s a good habit to check your financial statement at least once daily.
This is especially relevant to people who primarily use debit cards. Debit cards don’t offer the same level of fraud protection as credit cards and can leave you liable for fraudulent charges.
If you’ve recently been involved in an event like the Best Buy data breach, you’ll need to pay closer attention to your bank statements. Documenting fraudulent charges and keeping strong records are necessary to receive settlement payouts.
Strong Passwords are Key
It’s played for laughs on TV shows when an elderly person uses “password” as their password. Unfortunately, NordPass in 2022 still had it as the most commonly used password, with “123456” following not far behind.
Those are not strong choices.
Another common password problem is people mixing in their personal information. It’s understandable why: using a birthday or childhood address makes it easier to remember.
However, using that kind of information in your password makes it easier for cybercriminals to break in. Even if they don’t steal your login credentials directly from a company like Best Buy, they can still guess passwords based on your other information.
Try to follow these rules for a stronger password:
- Use a different password for every account
- Mix in uppercase, lowercase, numbers, and special characters
- Make strong random passwords a minimum of 16 characters
We know that these tips aren’t easy to follow. Luckily, nearly every browser has a highly secure password manager that creates and saves random passwords for your convenience.
Implement 2-Step Verification
2-Step, or 2-Factor, verification adds an extra layer of security to your account. It requires at least two forms of authentication before logging you in and could be anything from responding to a text message to supplying your fingerprint.
So, even if a criminal guesses your password, they still won’t gain access to your account.
Best Buy offers 2-Step verification in the form of a security code. They’ll send your phone a random code whenever you attempt to log in from an unverified device.
If you receive this message unprompted, it means that someone is trying to break into your account. In this case, immediately change your account details and contact Best Buy’s customer service.