Pierluigi Paganini
October 13, 2016
The American retail chain Vera Bradley is the last victim of a data breach, the company announced that hackers have stolen a yet undetermined number of payment card data.
The breaches affected customers shopping at its 112 stores and 44 outlets between in the period between 25 July and 23 September 2016. It seems that customers shopping on the official website was not impacted.
The FBI alerted the Vera Bradley company to the breach on 15 September, experts from the forensics firm Mandiant that investigated the incident confirmed the theft of credit card track data.
“On September 15, 2016, Vera Bradley was provided information from law enforcement regarding a potential data security issue related to our retail store network. Upon learning this information, we immediately notified the payment card networks and initiated an investigation with the assistance of a leading computer security firm to aggressively gather facts and determine the scope of the issue.” states the official announcement published by the company.
“Payment cards used at Vera Bradley retail store locations between July 25, 2016 and September 23, 2016 may have been affected. Not all cards used during this time frame were affected. Cards used on our website have not been affected. Findings from the investigation show unauthorised access to Vera Bradley’s payment processing system and the installation of a program that looked for payment card data,” added the company.
The hackers breached the network of the company and installed a malware on its servers that exfiltrated payment card data.
“The program was specifically designed to find track data in the magnetic stripe of a payment card that may contain the card number, cardholder name, expiration date, and internal verification code – as the data was being routed through the affected payment systems.” states Vera Bradley.
Crooks accessed card number, cardholder name, expiration date, internal verification code, and other information stored in magnetic stripe track of the cards.
“Payment cards used at Vera Bradley retail store locations between July 25, 2016 and September 23, 2016 may have been affected. Not all cards used during this time frame were affected. Cards used on our website have not been affected.” reads the notice of data breach. “On September 15, 2016, Vera Bradley was provided information from law enforcement regarding a potential data security issue related to our retail store network. Upon learning this information, we immediately notified the payment card networks and initiated an investigation with the assistance of a leading computer security firm to aggressively gather facts and determine the scope of the issue. Findings from the investigation show unauthorized access to Vera Bradley’s payment processing system and the installation of a program that looked for payment card data. “
Vera Bradley confirmed that not all credit cards used during the period were exposed, anyway it is important that customers monitor their bank accounts promtly reporting any unauthorised card charges.
The company confirmed to have stopped this incident and said that it is still working with the forensics security firm to improve the security of its systems to prevent similar incidents in the future.
This incident is the latest in a series of recent US retail chain breaches affecting the likes of Wendy’s, Hard Rock Hotel and Casino Las Vegas, and Eddie Bauer.
[adrotate banner=”9″]
(Security Affairs – Vera Bradley, data breach)
