Retailer Bebe Confirms Payment Card Data Breach

Another day, another payment card data breach. In what’s now becoming routine news, this morning retailer Bebe is confirming a security incident that took place over the busy holiday shopping period in November which saw attackers stealing customer’s names, account numbers, expiration dates and verification codes from cards swiped in stores. The breach occurred during the dates of November 8, 2014 and November 26, 2014, and affected those shopping in the retailer’s stores located in the U.S., Puerto Rico, and the U.S. Virgin Islands.

The company says that international stores, as well as those shopping online or on mobile, were not affected.

Bebe currently operates 174 retail stores including the on-line store bebe.com, and 35 bebe outlet stores. We’ve asked the company to confirm, specifically, how many were attacked in the regions where the breaches were discovered.

The hack was first reported by the Krebs on Security blog on Thursday, which said that data gathered from several financial institutions and one underground cybercrime shop suggested that thieves had stolen credit and debit card data from Bebe’s in November, and that customer payment card data was already being resold online.

Like other hacks which took place at major retailers including Target, Neiman Marcus and Michael’s, it’s likely that the thieves took advantage of security holes in Bebe’s cash register systems. Typically, thieves hack into these systems and plant malware that records mag stripe data when cards are swiped through machines, explains security expert Brian Krebs.

In statement released this morning on Bebe’s website, the retailer says that it has alerted its payment processor which is now working with the credit card companies so they can alert account holders. Additionally, Bebe advises customers to review their accounts for unauthorized activity and contact their bank if they see fraudulent charges. The retailer is also offering customers free credit monitoring services for a year at no charge. (Details on the Bebe sited linked above).

 

Bebe has not yet said how many consumers were affected by this data breach, though we put this question to the retailer this morning and will update if they respond. In the meantime, the company CEO offered this statement:

“Our relationship with our customers is of the highest importance,” said CEO Jim Wiggett. “We moved quickly to block this attack and have taken steps to further enhance our security measures.”

Bebe is now one of many retailers whose customer payment data has been stolen. Target’s breach during the 2013 holidays affected 110 million consumers. Home Depot’s breach saw 56 million accounts compromised. Staples, Neiman Marcus, grocer Supervalu and restaurant P.F. Chang’s have also come under attack in recent months.

To some extent, the problem is that retailers like these have large investments in dated point-of-sale systems running older software which may not have been kept up-to-date with the latest patches, or the retailers may have been lax on security procedures. But an even bigger concern has been that the U.S. continues to use less secure “mag stripe” cards when the rest of the world has moved to chip and PIN.

If there’s any silver lining to these data breaches, it’s that they’ve accelerated retailers’ timelines when it comes to converting their payment terminals to support chip and PIN cards.

Home Depot said it would covert its stores by year end. Target, Walgreens and Walmart have also promised to adopt chip and PIN technology ahead of the official U.S. October 2015 deadline.