Aug 16

Malware Infected All Eddie Bauer Stores in U.S., Canada

Clothing store chain Eddie Bauer said today it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach. The acknowledgement comes nearly six weeks after KrebsOnSecurity first notified the clothier about a possible intrusion at stores nationwide.

ebstoreOn July 5, 2016, KrebsOnSecurity reached out to Bellevue, Wash., based Eddie Bauer after hearing from several sources who work in fighting fraud at U.S. financial institutions. All of those sources said they’d identified a pattern of fraud on customer cards that had just one thing in common: They were all recently used at some of Eddie Bauer’s 350+ locations in the U.S. The sources said the fraud appeared to stretch back to at least January 2016.

A spokesperson for Eddie Bauer at the time said the company was grateful for the outreach but that it hadn’t heard any fraud complaints from banks or from the credit card associations.

Earlier today, however, an outside public relations firm circled back on behalf of Eddie Bauer. That person told me Eddie Bauer — working with the FBI and an outside computer forensics firm — had detected and removed card-stealing malware from cash registers at all of its locations in the United States and Canada.

The retailer says it believes the malware was capable of capturing credit and debit card numbers from customer transactions made at all 350 Eddie Bauer stores in the United States and Canada between January 2, 2016 to July 17, 2016. The company emphasized that this breach did not impact purchases made at the company’s online store eddiebauer.com.

“While not all transactions during this period were affected, out of an abundance of caution, Eddie Bauer is offering identity protection services to all customers who made purchases or returns during this period,” the company said in a press release issued directly after the markets closed in the U.S. today.

Given the volume of point-0f-sale malware attacks on retailers and hospitality firms in recent months, it would be nice if each one of these breach disclosures didn’t look and sound exactly the same. For example, in addition to offering customers the predictable and irrelevant credit monitoring services topped with bland assurances that the “security of our customers’ information is a top priority,” breached entities could offer the cyber defenders of the world just a few details about the attack tools and online staging grounds the intruders used.

That way, other companies could use the information to find out if they are similarly victimized and to stop the bleeding of customer card data as quickly as possible. Eddie Bauer’s spokespeople say the company has no intention of publishing these so-called “indicators of compromise,” but emphasized that Eddie Bauer worked closely with the FBI and outside security experts.

For more on the importance of IOCs in helping to detect and ultimately stymie cybercrime, check out last Saturday’s story about IOCs released by Visa in connection with the recent intrusion at Oracle’s MICROS point-of-sale unit. And for the record, I have no information connecting this breach or any other recent POS malware attack with the breach at Oracle’s MICROS unit. If that changes, hopefully you’ll read about it here first.



  1. i am doing a paper about security certification at offensive security. would you say that a problem like this could have been averted by using better certification?

  2. I received a letter from Eddie Bauer today explaining the situation. However they mentioned the last 4 digits of the card associated with the problem and that card does not belong to me. This is even more confusing. I thought it was a scam.

    • Same here. Just got the letter, also with 4 digits that are not from any of my cards. Just spent about 20 minutes talking with people via Kroll’s phone #. After requesting a supervisor I was told that the 4 digits sent in the letter DO NOT always match the person who receives the letter; mistakes made in transferring the info to Kroll’s. Online orders were not affected and even though the letter states “your card info WAS used” it also says “it MAY have been accessed without authorization”. Supervisor was very nice and agrees it’s confusing, but suggests anyone receiving the letter sign up for the monitoring offered. I rarely shop at Eddie Bauer and as of today, I’m done with them.

  3. The letter I received from EB offers 12 months of security protection from a company called Kroll. All the bad guys have to do is wait one year and a day to do the bad, which covers EB, and lets me end up paying for their ineffective malware protocols at day 366… The Kroll website requires me to enter my full Social Security number, even though they already have my membership number and recognized my identity through that. This seems redundant and additionally unsafe. I am an amateur at all this, I guess I just don’t understand why the service is being offered in the first place, other than to create business for Kroll.

    • Amateur,
      not only do the criminals have to wait 366 days, they have already created fake websites to phish your credentials…. the website for the credit monitoring service is https://kroll.idmonitoringservice.com yet the website https://kroll.id.monitoringservice.com is a phishing site that will collect all of your data – yep the only difference is the “period” between “id” and “monitoring”. I agree with you that asking for SSN again is not only redundant but also dangerous, however, EB does not have this information and in order to monitor your credit, the service must have that along with some other information. Best bet is to call the credit agencies and put a hold on your credit, sign up for text notification every time a charge is made on any of your bank cards (mine are set to as low as $1,- charges)

  4. I am one of the many possibly affected customers . I received the breach notification letter late last week and followed instructions… as you mentioned in your article, the credit monitoring services are becoming more and more worthless. And they are not doing the retailers that were breach ANY favors in regards to Customer Image. Case in point: after registering on the kroll.idmonitoringservcie.com, my username and password wouldn’t work. So I requested to reset the password, email was supposed to be sent…. no email. Waited a day, still no email, called during the very limited hours (8:00AM -5:00PM Central Time) and the hone agent was completely useless… “our servers are overwhelmed, please be patient…” really… my data gets breached, Eddie Bauer contracts with Kroll and I am supposed to be patient since Kroll can’t plan for the demand of folks enrolling? Since Eddie Bauer contracted with Kroll, this is an Eddie Bauer issue – they choose a sub-par contractor.
    I just got off the phone with EB and asked them to forward my complaint about the service to their management team. We will see what comes out of it.

  5. So the wife got the Eddie Bauer letter in the mail, Card used was a BofA card. I thought they have a reputation of being very trigger happy when it comes to cancelling cards proactively. I assume Eddie Bauer received our address from the issuing bank? Also would be curious what information EB and/or BofA shared with Kroll. Since they seem to ask for a SSN, do they actually have that one?

  6. My friend got this letter with the last four digits of MY credit card on it. She used her rewards card for my purchase. However, they won’t let ME sign up for the credit monitoring service. They told me on the phone to, “Get another credit card number.” Gee, thanks! That’s sooooo convenient for me! Morons!

  7. I got the same letter but the 4 digits were my card. Should I be concerned. I had a fraud warning on my Equifax and Trans Union but think have both expired as they are only good for 6 years. I would recommend everyone put that on your bureaus to prevent fraud.