Data Breach , Fraud , Payments Fraud
Breach Dating Back to July Involved Malware
Fashion accessories retailer Vera Bradley says its payments processing system was compromised by a malware attack.
See Also: Secure Access in a Hybrid IT World
In a statement posted to its website on Oct. 12, the retailer says payment card transactions conducted between July 25 and Sept. 23 at some of its locations may have been affected. Vera Bradley operates stores in 35 states.
Online purchases do not appear to have been impacted by the incident, the retailer adds.
The company did not reveal the number of payment cards potentially impacted by the incident. The retailer did not immediately respond to Information Security Media Group's request for further details.
"Findings from the investigation show unauthorized access to Vera Bradley's payment processing system and the installation of a program that looked for payment card data," the retailer says in its statement. "The program was specifically designed to find track data in the magnetic stripe of a payment card - that may contain the card number, cardholder name, expiration date and internal verification code - as the data was being routed through the affected payment systems. There is no indication that other customer information was at risk."
Notified by Law Enforcement
Vera Bradley says it learned of a possible compromise of its network on Sept. 15 when it was contacted by law enforcement officials.
"Upon learning this information, we immediately notified the payment card networks and initiated an investigation with the assistance of a leading computer security firm to aggressively gather facts and determine the scope of the issue," the retailer says. "Findings from the investigation show unauthorized access to Vera Bradley's payment processing system and the installation of a program that looked for payment card data."
Vera Bradley says it has stopped the intrusion and is working with an unnamed security firm "to further strengthen the security" of its systems.
The retailer does not state whether it's providing identity theft protection or credit monitoring to customers who may have been impacted by the incident. The company has provided a hotline for consumers to call as well as links to credit-monitoring providers Equifax, Experian and TransUnion.
The fashion accessories retailer is the latest victim in a long series of payments system breaches that have involved stealing data from mag-stripe payment cards. Among some of the more noteworthy breaches of late are those that compromised fast-food chain Wendy's; apparel retailer Eddie Bauer; and hotel chains Hilton, Hyatt, Omni Hotels & Resorts, Starwood Hotels and Resorts , Trump Hotels, HEI Hotels & Resorts, Kimpton Hotels & Restaurants, Millennium Hotels & Resorts North America, Noble House Hotels and Resorts, and Hutton Hotels.
Mass Production Attacks
"Hackers no longer seem to be focused on a single merchant," says Alex Holden, CISO at security and forensics firm Hold Security. "They are focused on doing mass production attacks across multiple merchants, which makes it difficult to pinpoint the point of breach. That's extremely concerning to me, because this changes the game. It's not just individual merchants that have to protect themselves; it's also the support infrastructure, the POS systems and services providers - and they are typically not as secure as the merchants."