In October 2018, Nordstrom discovered that a contract worker had improperly handled employee personal data, resulting in the potential exposure of sensitive HR and payroll information for an undisclosed number of Nordstrom employees — with reports citing approximately 76,000 employees affected.

The anomalous activity was detected on October 9, 2018. Nordstrom notified affected employees and disclosed the breach publicly in November 2018. The contract worker involved no longer had access to Nordstrom systems by the time of disclosure.

The data potentially exposed included names, Social Security numbers, dates of birth, checking account and routing numbers, salaries, and other personally identifiable information. This combination of financial account details and SSNs created significant identity theft and financial fraud risk for affected employees.

Nordstrom stated it had no evidence that the data had been shared with or used by any unauthorized third party. The company offered affected employees 24 months of identity protection services through AllClear ID and implemented additional access controls to prevent recurrence.

The incident was notable for its nature: rather than an external hacker breaking into systems, a trusted insider — a contract employee — was responsible for the mishandling. The vendor providing the contract worker was not publicly named. The case illustrated the difficulty of enforcing data handling policies for contractor personnel who have been granted legitimate access to sensitive systems but whose actions may not be subject to the same level of monitoring as direct employees.

Nordstrom was praised for its rapid employee notification following discovery of the breach, which stood in contrast to the weeks or months of delay seen in many comparable incidents.