Barnes & Noble has concluded that a cyberattack against its computer systems last month didn’t compromise customer data — even as publishers worry the aftereffects could muck up book distribution during the crucial holiday season.
In an exclusive interview, B&N CEO James Daunt said the giant bookseller now believes the data breach it disclosed in mid-October was the result of an odd “ransomware” attack — odd partly because the hackers never demanded a ransom.
Cybersecurity experts told the company the breach had all the earmarks of such attacks, which typically come from Russia, Ukraine and other Eastern European countries. It remains unknown where the attack originated, Daunt said.
“We had a cybersecurity attack and when we detected that, we just shut everything down,” Daunt told Media Ink. “We decided to act with extreme caution and notify customers.”
On the positive side, the bookseller’s boss said the company’s cybersecurity experts found “zero customer data was compromised.” They eventually determined that the hackers gained access to B&N’s systems through a network used by publishers known as the Electronic Data Exchange (EDI).
On the negative side, the investigation disrupted B&N’s systems from late October into early November.
“We brought it [EDI] back very slowly because we wanted to know where the breach occurred,” said Daunt. “Some of the back-end systems were out for three or four weeks.”
Daunt said B&N hasn’t had trouble getting shipments from publishers and that the company is able to track how its own books are selling. Still, he admits he was concerned that the massive first printing for ex-President Barack Obama’s memoir “A Promised Land” — which set a one-day sales record for Penguin Random House — could have been a problem.
Daunt said he was relieved when it went smoothly. Only one B&N store in Manhattan ended up with no copies at its official on-sale date on Nov. 14.
“It was actually smoother than Michelle Obama’s rollout,” Daunt said. And storewide, “there was an interruption of shipments to customers for half a day and in some cases of a couple of days.”
Nevertheless, the flow of information between the bookseller and publishers was more troublesome and took weeks to resolve, he admitted. Some publishers — mostly smaller ones — say they’ve been deprived of crucial data on how titles are actually selling, creating uncertainty about what to stock heading into the peak Christmas season.
“Time will tell whether they [B&N] have enough books on hand for the Christmas season,” said one small publisher who is faced with rushing books to B&N now that the computerized ordering system is back up and running.
And an exec at a big publishing house said data from B&N was “still a mess” as of last week, and appears to have been alleviated only this week.
“I assume it was worse for small publishers” who often aren’t equipped with automated ordering systems, said the executive, who spoke on the condition of anonymity. On some slow selling books, he said, B&N “might not even realize they were out of stock.”
For its part, B&N insists the problem has been fixed, and that it had a minimal impact on business over the past month and should have no bearing on sales going forward.
Before the cyberattack, the nation’s biggest bookstore chain had been making a comeback since it shuttered more than 400 of its 600-plus stores in the United States in April and May at the height of COVID-19. Its retail outlets did not reopen until June.
Even now, cafe and magazine newsstand sales are still way off, but book sales at retail are actually running ahead of a year ago, Daunt said. Online sales are double last year’s.
Overall, he says, he expects book sales to be up in November. “That will mark the sixth straight month of book sales up over a year ago,” Daunt said.