20141204-Bebe

Thursday 12/04/2014

Once again the breach of a national retailer was discovered, not by the retailer, but an independent security researcher who found stolen credit and debit card data for sale on the web priced at under $30 per card. See the breaking news at Krebs on Security.

Who: Bebe Stores, Inc. (pronounced Bee-Bee) is a national retailer of ladies apparel with about 200 stores. What: The stolen information appears limited to card data used at physical presence locations, not the internet presence of Bebe’s. When: The stolen card information was used November 18 to 28, 2014. It may be continuing. When the breach occurred is unknown as of 12/4/2014.

The exclusion of charges placed on the internet incline toward compromised point-of-sale terminals such as those used during compromises at Home Depot, Neiman Marcus, Michaels 2011 and 2014, Target, and (sadly) more.

Friday 12/05/2014

Bebe’s confirmed the compromises of cards used in their stores in the United States, Puerto Rico and the US Virgin Islands November 8 to November 26, 2014. Their internet store, mobile applications and brick-and-mortar locations in Canada or other international locations, appear unaffected. The company has an announcement where they offer credit monitoring. Bebe may have gone a bit too far in listing the requirements to apply for credit monitoring. The list included enough keywords that at least one major web protection software blocked the page based on linguistic heuristic analysis indicating that page was phishing.

Scope: Compromised information may have included cardholder name, account number, expiration date, and verification code. Scale: The number affected was not disclosed.

See the follow up report at Krebs on Security

 
 

Return to 2014 details page
Year links page
Return to References page