Bebe Stores hack attack, customers payment data may have been breached

Security expert reports hack at Bebe Stores

Brian Krebs of Krebs On Security today reported a hack attack on Bebe Stores Inc. Bebe Stores is a high-end women’s clothing retailer with six stores in Eastern Massachusetts.  Brian today reported on a blogpost that “several” financial institutions whose customers had shopped at one of Bebe’s 200 nationwide locations had begun noticing fraudulent charges.

Brian also reported that a new website called goodshop which deals in stolen credit and debit card data, was selling a big “dump,” or a large cache of stolen card numbers.  This was noticed by a bank based in East Coast which acquired cards from a batch that Goodshop released on Dec. 1, called “Happy Winter Update.” The prices from that Happy Winter batch range from $10 to $27 per card and found them to be from Bebe.

As per the banks investigations, “all of the cards had been used at Bebe Stores in the United States between Nov. 18 and Nov. 28. It is not clear if the breach at Bebe stores is ongoing, or if it extends prior to mid-November 2014.”

Brian said that as of now only Bebe’s physical stores data may have been compromised and its online customers were safe. “There is no data to suggest that the apparent card breach at Bebe extends to the company’s online store. The items for sale at Goodshop are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example),” Brian noted.

It is most likely that Bebe’s Point-of-Sale may have been infected with one of the many malwares floating around. Bebe has neither denied neither confirmed the breach. The company’s stock dropped briefly after hack  was reported, but rebounded and is currently trading at $2.73.

If the hack is confirmed, Bebe would be the latest in a string of nationwide retailers to have its customer data stolen. FBI has already released a advisory to the US businesses to be on lookout for data-wiping malware called ‘wipall’  which infected Sony Pictures last week and around 25GB of data in additions to the Sony’s unreleased movies were stolen by the cyber criminals.

#Update : Bebe Stores has confirmed the hack attack with a statement on its website.The statement said that,  “we believe the attack was focused on and limited to data from payment cards swiped in our U.S., Puerto Rico and U.S. Virgin Islands stores during a short window between November 8, 2014 and November 26, 2014. This data may have included cardholder name, account number, expiration date, and verification code. Purchases made through our website, mobile site/application, or in Canada, or our other international stores were not affected. Customers can feel confident in continuing to use their payment cards in our stores.”

Bebe Stores will be offering credit monitoring services for one year at no cost to customers who made a purchase using a payment card at a U.S., Puerto Rico or U.S. Virgin Islands store during that time frame. Customers who made purchases from these Bebe shops have been requested to contact their customer care number atl 888-236-0447, Monday through Friday, 6 a.m. to 6 p.m. PST.

LEAVE A REPLY

Please enter your comment!
Please enter your name here