14 DAY TRIAL // Bebe Stores, Inc. confirmed today that point-of-sale systems at locations in the US and outside were compromised and card data belonging to customers was stolen by unknown attackers.
An investigation has been initiated by the company through a team of security experts in order to determine the extent of the breach.
News about a possible compromise broke on Thursday, when security blogger Brian Krebs reported that he received information from several financial institutions that card data of Bebe Stores customers was up for sale on an underground market.
The banks reached this conclusion after purchasing a small lot of cards to determine the retailer that had been compromised. According to their analysis, the incident started since at least November 18 and continued until at least November 28.
Stores outside the US have been affected
However, in an official statement on Friday, Bebe said the attack was stopped on November 26 and it had started on November 8, giving the intruders a window of three weeks to steal the data.
Also, it appears that the issue is more widespread than initially believed because apart from locations in the US, stores in the Virgin Islands and Puerto Rico were also affected.
As far as the data taken is concerned, the company says that cardholder names, account numbers, expiration date, and verification codes were included.
Card verification codes are generally used for card-not-present transactions, such as online purchases, and it is a set of three or four numbers present on the back of the card; but some retailers require it when the data is read by the point-of-sale (PoS) terminal in an attempt to prevent fraud.
If the cybercriminals have them, they do not need to write the stolen information from the magnetic stripe on a cloned card, which would not be possible to use in stores with this policy. However, together with the cardholder name, expiration date and number of the card, fraudulent online transactions can be carried out.
Attack has been blocked, PoS systems are safe
“Purchases made through our website, mobile site/application, or in Canada, or our other international stores were not affected. Customers can feel confident in continuing to use their payment cards in our stores,” the company assures.
Jim Wiggett, CEO of Bebe, said in the official statement that steps have been taken to prevent this type of attacks in the future, but no information on what the measures consisted in was provided.
As is usually the case in the wake of such incidents, Bebe offers free credit monitoring services to all customers that made a purchase during the time frame of the compromise. They have to enroll to the service themselves by calling a number available in the disclosure statement.
