The Story of the Best Buy Data Breach

  • By David Lukic
  • Sep 29, 2020

Along with Sears, Kmart, and Delta, Best Buy was also impacted by a massive cyber intrusion. Best Buy, like many other retail companies, uses chat services to interact with customers. They outsource their chat services to a company called [24] That third-party vendor experienced a cyber-attack, which allowed hackers to gain access to Best Buy customer payment information. Although Best Buy insists that very few customers were affected, everyone who is a Best Buy customer should take notice. Executives responded to the Best Buy data breach by saying,

“As best we can tell, only a small fraction of our overall online customer population could have been caught up in this [24] incident, whether or not they used the chat function.”

Upon learning of the breach, Best Buy contacted law enforcement and worked with the vendor and cybersecurity experts to glean the extent of the damage. The tech retailer also promised free credit monitoring to anyone affected by the breach.

best buy data breach

When Was the Best Buy Data Breach?

The Best Buy data breach took place between September 27 and October 12 of 2017. While Best Buy didn’t announce the hacker’s strategy, Delta created a page on its website addressing the event.

The airline reported that hackers installed a piece of malware into the chat software used by various retail outfits. The code was designed to steal credit cards and other personal information. News of the incident did not break until April of 2018.

This announcement came more than half a year after the breach occurred, which gave malicious actors more than enough time to use the stolen information. However, it’s hard to blame the slow response on the companies, as [24]7 didn’t notify them until late March.

How to Check if Youre a Victim of the Best Buy Breach

After the incident, Best Buy worked to determine which customers were affected by the data breach. They then alerted them through the mail with explicit instructions on how to respond.

Although no firm figure was ever released on how many customers were affected from Best Buy leak, you should assume you were and take action. Even users who never directly interacted with the [24]7 chat software could be in danger since the malware attacked the sites themselves.

What Kind of Information does Best Buy Collect?

Best Buy has a page on their website, which clearly explains what types of information they collect on customers, how it is used, and who they share it with.

Depending on how you interact with Best Buy, the information it has can include any of the following:

  • Full Name
  • Current and Past Addresses
  • Email Address
  • Phone Number
  • Card/Banking Information
  • My Best Buy® member ID

If you’ve applied for credit opportunities, filled out surveys, or used the mobile application, then Best Buy may also have your:

  • Driver’s License Information
  • Social Security Number
  • Location Data
  • Demographic, Income, and Lifestyle Information
  • Insurance Information
  • Fingerprints
  • Facial or Wrist Geometry
  • Survey Responses

Apart from the personally identifying information you provide the site, Best Buy collects what it calls “observed behavior.” This type of data includes footage from security cameras, tracking visitor cookies, and even what type of device you shop on (i.e., computers, tablets, phones, etc.)

The linked privacy webpage explains how Best Buy only uses your information to deliver a “great experience” with them. Best Buy uses the information to build marketing profiles and only show customers products they’re interested in.

This strategy isn’t anything new, individual profiles have been the backbone of marketing for over a decade. However, this information can also inform hackers and fraudsters about the best way to approach their targets. If you’ve potentially been a victim of the Best Buy data breach, beware any technology or hardware related marketing from unconfirmed sources.

best buy breach

Best Buy Account Hacked? Here's What to Do 

If you paid for anything at Best Buy or had a Best Buy credit card, there is a good chance that information ended up in the hands of the hackers. 

Additionally, they posted this notice on their website regarding the [24] incident to help customers understand the dangers and what to do. Some tips for dealing with this type of data breach are:

  • Cancel any credit cards used with Best Buy and change the PIN codes.
  • Reset your password for and other accounts using the same password.
  • Carefully monitor your Best Buy credit card statements and bank accounts for any fraudulent charges. 
  • Get a copy of your credit report and consider a credit freeze to keep criminals from opening new accounts in your name. 
  • Sign up for credit monitoring with a company like

Will the Best Buy Data Breach Cause Identity Theft?

Even the basic information stolen by the group responsible for the Best Buy data breach is enough for identity theft and jumpstart phishing campaigns or scams that trick you into divulging the additional information necessary to steal your identity.

Best Buy’s announcement stated that hackers hadn’t acquired any username/password combinations from the site. Hackers likely tried to “brute force” their way into accounts based on the collected information.

As many people use personal details in their login credentials, information like birthdays and addresses are valuable to malicious actors. Collections of data like this are taken every day and sold on the dark web for this very purpose.

Other Cases of Best Buy Data Use

Did you know that Best Buy has a history of sharing information with the FBI?

Similarly to the Apple Genius Bar, the Geek Squad is a repair and troubleshooting service offered by Best Buy. Sometimes, fixes take multiple days, and devices are left with them. This seems safe enough, but there have been numerous cases of Geek Squad employees working as informants for the FBI.

Geek Squad members are looking for indecent and pornographic material stored on the devices people bring in. This includes aiding cases like the prosecution of Mark Rettenmaier, a California doctor who was found with child pornography when he sent his laptop in for repairs.

While most people don’t have to worry about going through the same thing, there is reasonable concern over the warrantless searches of customers’ computers. The Electronic Frontier Foundation (EFF) filed a Freedom of Information Act lawsuit against the FBI.

The lawsuit released records that shed more light on the FBI’s relationship with Geek Squad employees. Interactions date back to 2008 during a meeting the FBI held at one of Best Buy’s repair facilities in Kentucky.

Concerns primarily revolved around how Best Buy employees knew which devices to search for indecent material. Were they rummaging through every computer or only searching specific devices? The EFF argues that these searches are a dishonest strategy for getting around the Fourth Amendment (unreasonable search and seizure.)

However, Best Buy claims employees are prohibited from searching devices for anything unrelated to the customer’s problem. Any illegal material found is reported due to a “moral and, in more than 20 states, a legal obligation.”

What to Do to Protect Yourself Against Hackers and Thieves

In this very digital age, it is almost impossible to believe that you can keep your information private and your data safe. However, there are precautions you can take and techniques you can use to keep things secure.

Update Your Antivirus

Cybercriminals are constantly evolving and finding new ways to exploit your system. Despite the industry’s best efforts to develop fixes in response, these only work if you keep your antivirus up to date.

Millions of users don’t update their phone’s operating system because they believe the update is minuscule or unnecessary. These updates often protect your web browsers and applications against new cybercrime strategies.

Monitor Financial Statements

Financial fraud can be hard to catch right away. In 2019, the American Bankers Association reported over $25 billion in losses due to banking fraud the previous year.

While checking your bank account every hour is unreasonable, regularly updating yourself gives you a much better chance of noticing fraudulent activity. It’s a good habit to check your financial statement at least once daily.

This is especially relevant to people who primarily use debit cards. Debit cards don’t offer the same level of fraud protection as credit cards and can leave you liable for fraudulent charges.

If you’ve recently been involved in an event like the Best Buy data breach, you’ll need to pay closer attention to your bank statements. Documenting fraudulent charges and keeping strong records are necessary to receive settlement payouts.

best buy leak

Strong Passwords are Key

It’s played for laughs on TV shows when an elderly person uses “password” as their password. Unfortunately, NordPass in 2022 still had it as the most commonly used password, with “123456” following not far behind.

Those are not strong choices.

Another common password problem is people mixing in their personal information. It’s understandable why: using a birthday or childhood address makes it easier to remember.

However, using that kind of information in your password makes it easier for cybercriminals to break in. Even if they don’t steal your login credentials directly from a company like Best Buy, they can still guess passwords based on your other information.

Try to follow these rules for a stronger password:

  • Use a different password for every account
  • Mix in uppercase, lowercase, numbers, and special characters
  • Make strong random passwords a minimum of 16 characters

We know that these tips aren’t easy to follow. Luckily, nearly every browser has a highly secure password manager that creates and saves random passwords for your convenience.

Implement 2-Step Verification

2-Step, or 2-Factor, verification adds an extra layer of security to your account. It requires at least two forms of authentication before logging you in and could be anything from responding to a text message to supplying your fingerprint.

So, even if a criminal guesses your password, they still won’t gain access to your account.

Best Buy offers 2-Step verification in the form of a security code. They’ll send your phone a random code whenever you attempt to log in from an unverified device.

If you receive this message unprompted, it means that someone is trying to break into your account. In this case, immediately change your account details and contact Best Buy’s customer service.


About the Author
IDStrong Logo

Related Articles

What is Data Leak and How to Prevent Accidental Data Leakage

Data breaches take many forms, and one of them is through data leak and accidental web exposure. M ... Read More

The Saga of T-Mobile Data Breach: 2013, 2015, 2021 and 2023 Hacks

T-Mobile has experienced a number of data breaches in the past decade. The first case occurred som ... Read More

Anthem Data Breach Exposed 78 Million Records

In the Anthem Data Breach of 2015, hackers were able to steal 78.8 million member’s records. ... Read More

Everything You Need to Know About Insider Data Breach

Data breaches are on the news frequently, but the average person doesn’t really know that mu ... Read More

The NSA Hack, How Did it Happen?

The National Security Agency (NSA) was the main attraction in a major data breach involving three ... Read More

Latest Articles

Health Organization Records Stolen via Welltok’s MOVEit - 930k+ Including Minors

Health Organization Records Stolen via Welltok’s MOVEit - 930k+ Including Minors

The number of victims caused by the global MOVEit data breach continues to climb; Welltok has announced more exposures, this time from three more health organizations.

MOVEit Breach Creates More Victims; 105k Records Stolen from Insurance Group

MOVEit Breach Creates More Victims; 105k Records Stolen from Insurance Group

"Pan American Life Insurance Group Building - New Orleans" by Tony Webster is licensed under CC BY 2.0. Source: Flickr

New York Healthcare Provider Notified 600k Following Network Cyberattack

New York Healthcare Provider Notified 600k Following Network Cyberattack

East River Medical Imaging (ERMI) has three locations in New York City and Westchester County.  ERMI is a "multi-modality radiology center," including patient-centered solutions like MRIs, CTs, ultrasounds, imaging, radiology, fluoroscopy, and x-rays.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address