For the second time in a year, big box retailer Bed Bath & Beyond has been the target of a data breach that has put potentially thousands of customers’ personal information at risk. The store, which is already struggling financially, has asked its customer and technology chief to step down in hopes that they can get ahead of the problem under new leadership.

This breach was the result of a phishing expedition in which a BB&B employee provided access (likely unwittingly) to a hard drive and shared drives that may have contained personally identifiable information. Thus far, the company has declined to say what information may have been stolen, whether measures were in place to mitigate risk, or even what steps they would take to avoid future attacks. Not the best response from a company already on the ropes.

What could they have done differently? What can other retailers (big and small) do to keep their customers’ information safe?

1. Hire a cyber/forensic expert to identify vulnerabilities and develop a risk mitigation strategy to keep this from happening again.
2. Gain a very clear picture of what information has been (or could have been) divulged and communicate that to potentially compromised customers.
3. Conduct training with employees to ensure they understand their role in online security and how to avoid being scammed or hacked.
4. Have a cybersecurity program in place that helps protect, detect and respond to attacks.
5. Ensure the new technology officer makes a public statement about how BB&B will make cybersecurity a priority in the future.

As we move into the biggest shopping season of the year, it’s critical that stores (brick and mortar and on-line) keep their customers safe from attacks. Bed Bath & Beyond—and other retailers like it–has the opportunity to change its current lax policies and put customers’ privacy first.