In a statement released this morning, women’s clothier chain bebe stores inc. confirmed news first reported on this blog Thursday: That hackers had stolen customer card data from stores across the country in a breach that persisted for several weeks last month.
Bebe stores said its investigation indicates that the breach impacted payment cards swiped in its U.S., Puerto Rico and U.S. Virgin Islands stores between Nov. 8, 2014 and Nov. 26, 2014. The data may have included cardholder name, account number, expiration date, and verification code.
The company emphasized that purchases made though its web site, mobile site/application, or in Canada or other international stores were not affected, and that customers should feel confident in continuing to use their payment cards in bebe stores.
“Our relationship with our customers is of the highest importance,” said bebe CEO Jim Wiggett, in a statement. “We moved quickly to block this attack and have taken steps to further enhance our security measures.”
Predictably, bebe stores is offering free credit monitoring services for one year to customers impacted by this incident, even though credit monitoring services do nothing to help consumers block fraud on existing accounts — such as credit and debit card accounts that may have been stolen in this breach.
Consumers still need to keep a close eye on monthly statements, and report any unauthorized charges as quickly as possible.
On Thursday, KrebsOnSecurity reported that several banks had complained about a pattern of fraudulent charges on customer credit cards that all had one thing in common: They’d all been used at bebe locations across the country. One bank contacted by this reporter also found several of its cards for sale in a brand new batch of stolen cards pushed onto the market in an underground “carding” shop, cards that all turned out to have been used at bebe stores during a two week period in the latter half of November.
Interestingly, when I first accessed the breach notification page at bebe stores this morning, Kaspersky Antivirus flagged the page as a possible phishing attack (see screenshot below). This is most likely a false positive, but I thought it was worth mentioning anyway.