Retailer Vera Bradley: Payments System HackedFBI Warning Triggers Discovery of July Breach Involving Malware
In a statement posted to its website Oct. 12, the retailer says payment card transactions conducted between July 25 and Sept. 23 at some of its locations may have been affected. Vera Bradley has 114 full-line stores and 45 factory outlets in 35 states.
Online purchases do not appear to have been impacted by the incident, the retailer adds.
The company did not reveal the number of payment cards potentially impacted by the incident. But spokeswoman Julia Bentley told Reuters that it's not yet clear how many cards might be affected. She added that cards used on the company's website were not affected by the breach and that the retailer expects insurance to cover most of the cost of the breach. Bentley also told Information Security Media Group that Vera Bradley hired FireEye's Mandiant to investigate the breach.
The breach involved malware, although it's not yet clear if the malicious code was installed on point-of-sale devices or back-end systems.
"Findings from the investigation show unauthorized access to Vera Bradley's payment processing system and the installation of a program that looked for payment card data," the retailer says in its statement. "The program was specifically designed to find track data in the magnetic stripe of a payment card - that may contain the card number, cardholder name, expiration date and internal verification code - as the data was being routed through the affected payment systems. There is no indication that other customer information was at risk."
FBI Alerted Retailer
Vera Bradley says it learned of a possible compromise of its network on Sept. 15 when it was contacted by the FBI.
"Upon learning this information, we immediately notified the payment card networks and initiated an investigation with the assistance of [Mandiant] to aggressively gather facts and determine the scope of the issue," the retailer says. "Findings from the investigation show unauthorized access to Vera Bradley's payment processing system and the installation of a program that looked for payment card data."
Vera Bradley says it has stopped the intrusion and is working with Mandiant "to further strengthen the security" of its systems.
The retailer does not state whether it's providing identity theft protection or credit monitoring to customers who may have been impacted by the incident. The company has provided a hotline for consumers to call as well as links to credit-monitoring providers Equifax, Experian and TransUnion.
Bevy of Breach Victims
The fashion accessories retailer is the latest victim in a long series of payments system breaches that have involved stealing data from mag-stripe payment cards. Among some of the more noteworthy breaches of late are those that compromised fast-food chain Wendy's; apparel retailer Eddie Bauer; and hotel chains Hilton, Hyatt, Omni Hotels & Resorts, Starwood Hotels and Resorts , Trump Hotels, HEI Hotels & Resorts, Kimpton Hotels & Restaurants, Millennium Hotels & Resorts North America, Noble House Hotels and Resorts, and Hutton Hotels.
Security experts say hack attacks and related data harvesting is becoming increasingly industrialized. Any point in the payments ecosystem - including retailers and payments processors - is potentially at risk.
"Hackers no longer seem to be focused on a single merchant," says Alex Holden, CISO at security and forensics firm Hold Security. "They are focused on doing mass production attacks across multiple merchants, which makes it difficult to pinpoint the point of breach. That's extremely concerning to me, because this changes the game. It's not just individual merchants that have to protect themselves; it's also the support infrastructure, the POS systems and services providers - and they are typically not as secure as the merchants."