Retailer Bebe Confirms Card BreachAttack Focused on Cards Swiped in November
The company, which operates 175 retail stores and 35 outlet stores in the U.S., the U.S. Virgin Islands, Puerto Rico and Canada, says in a statement that it "recently detected suspicious activity on computers that operate the payment processing system for its stores."
Once the breach was detected, Bebe immediately engaged a computer security firm to block the attack from continuing, the company reports. Based on its investigation so far, Bebe believes the attack was focused on payment cards swiped in its U.S., Puerto Rico and U.S. Virgin Islands stores Nov. 8-26.
Data potentially compromised includes cardholder name, account number, expiration date and verification code. A spokesperson for Bebe told Information Security Media Group the company is not disclosing the number of cards potentially compromised.
Purchases made through the company's website or mobile application, as well as those at stores in Canada, were not affected, Bebe says. Affected individuals are being offered free credit monitoring services for one year.
"We moved quickly to block this attack and have taken steps to further enhance our security measures," says Bebe CEO Jim Wiggett.
The incident could be a sign of a new trend where cyber-attackers focus on mid-size retailers, says John Gunn, vice president of VASCO Data Systems. "Large retailers, those with thousands of locations and billions in revenue, have improved their security and made themselves more difficult to attack," he says. "Midsize retailers simply don't have the IT security resources of their larger brethren and become easier victims for hackers. The payoff from a breach isn't as big, but there are many more targets for hackers to go after."
The breach at Bebe was first reported by security blogger Brian Krebs.