American high-end fashion retailer Vera Bradley has revealed that hackers may have accessed customers' card data from payment processing systems at its retail stores this summer.
Known for its colourful, patterned quilted tote bags, the company said some cards used at stores between 25 July and 23 September 2016 may have been compromised. Cards used online were not affected.
The Fort Wayne, Indiana, company said law enforcement alerted them about a potential data security breach issue in its retail network on 15 September. The company then launched an investigation with the help of a security firm that revealed unauthorised access to Vera Bradley's payment processing system. It also showed the installation of a malicious program that tracked customer data in payment cards' magnetic stripes which may contain the card number, cardholder name, expiration date and verification code. Vera Bradley claims that "there is no indication that other customer information was at risk".
"Vera Bradley has stopped this incident and continues to work with the computer security firm to further strengthen the security of its systems to help prevent this from happening in the future," the company said in a statement. "Vera Bradley values the relationship it has with its customers and understands the importance of protecting personal information and therefore sincerely regrets any inconvenience this may have caused its customers."
The retailer has advised potentially affected customers to check their accounts and payment card statements for any potential unauthorised activity and to report any unauthorised charges to the card issuer. The company said it was continuing to support a law enforcement investigation and was working with payment card networks as well.
Due to the breach, it has postponed an upgrade to its website that was initially planned for October 2016, due to integration delays and the recent data breach "since resources previously allocated to the conversion were reallocated to resolving the security issue". The new website will now be launched in the first quarter of fiscal 2018.
The hack is the latest in a series of data breaches affecting US retailers' point of sale (POS) systems including Eddie Bauer, Hard Rock Hotel, Casino Las Vegas, Wendy's and Noodles & Company. Major hotel chains including Kimpton Hotels and Restaurants and HEI Hotels and Resorts recently announced that they were hit by payment card malware as well.
"POS systems have been a desirable target for a while now because they have an immediate reward in relation to effort expended," Mark James, a security specialist at ESET, told. "The type of data extracted... could easily be matched with previously stolen data and used for identity theft or fraud purposes. In these cases it is important that the affected user has all the information relating to the breach made available to them as soon as possible."