Payment Cards Compromised for Nearly 6 Months at Unspecified Number of Stores
Buckle, a clothing retailer with 450 stores across the United States, said Friday that malicious software may have been used to steal payment card details for nearly six months, putting customers at risk.
Clothing retailer Buckle says malware installed on its point-of-sale systems apparently stole customers’ payment card details for nearly six months. Buckle’s warning follows a breach alert from Kmart, and shows the fight against payment card fraud is far from over.
Buckle’s breach alert, issued Friday, said that it had launched an investigation after it “became aware” that “a criminal entity accessed” payment card data some of its stores.
The retailer didn’t note how or when it first learned of the breach, and it couldn’t be immediately reached for comment. But the malware was active on its point-of-sale systems for nearly six months – from Oct. 28, 2016, until April 14, 2017. Thus, it’s likely that the breach was discovered on or around April 14, meaning that the company waited about two months before warning potentially affected customers (see Data Breach Notifications: What’s Optimal Timing?).
The company’s first public breach pronouncement about the breach, issued late Friday, followed security blogger Brian Krebs reporting Friday that earlier in the day, he’d queried the company about a potential breach.
Investigation Found Malware
After Buckle learned of the breach, “we immediately launched a thorough investigation and engaged leading third-party forensic experts to review our systems and secure the affected part of our network,” the company says. “Through that investigation we learned that our store payment data systems were infected with a form of malicious code, which was quickly removed.”
The malware collected the card number, expiration date and holder’s name, Buckle says. The company does not believe that any other customer information was accessed or stolen.