Clothing retailer Eddie Bauer has informed customers that point-of-sale systems at its stores were hit by malware, enabling the theft of payment card information.
All the retailer’s stores in the U.S. and Canada, numbering about 350, were affected, a company spokesman disclosed Thursday. He added that the retailer is not disclosing the number of customers affected. The card information harvested included cardholder name, payment card number, security code and expiration date.
The retailer said that information of payment cards used at its stores on various dates between Jan. 2 and July 17, 2016 may have been accessed, but added that not all cardholder transactions were affected. Payment card information that was used for online purchases at its website was not affected.
The company is the latest in a long list of retailers, hotels and other establishments that were hit by point-of-sale malware that skimmed payment card information.
Eddie Bauer learned during the investigation that the malware found on its systems was “part of a sophisticated attack” directed at multiple restaurants, hotels, and retailers, besides its own operations, CEO Mike Egeck said in a statement. “Unfortunately, malware intrusions like this are all too common in the world that we live in today,” he added.
The company said it has been working closely with the FBI, cybersecurity experts, and payment card organizations, and wanted to reassure customers that it had fully identified and contained the incident. Customers would not be responsible for any fraudulent charges to their accounts, it added.
Eddie Bauer said it had taken measures to strengthen the security of its point-of-sale systems to prevent a similar hack in the future. Kroll, a provider of risk mitigation and response, would provide 12 months of complimentary services to affected customers, it added.
Businesses need to be able to watch more closely the data passing through a corporate network to have a better chance of preventing breaches or at least minimizing the damage by stopping them soon, said John Christly, chief information security officer of Netsurion, a provider of remotely-managed security services for multi-location businesses, in an emailed statement.
“Some of these breaches may look like normal web traffic coming out of the firewall, and other attacks can even seem like legitimate DNS traffic, which may pass right by the typical un-managed firewall," he added.
Hyatt Hotels, Target, Starwood Hotels & Resorts Worldwide, Hilton Worldwide Holdings, Omni Hotels & Resorts, HEI Hotels & Resorts and Neiman Marcus have also reported previously data breaches through their point-of-sale systems.