Add Bebe Stores Inc. to the list of retailers that have suffered a cyber attack just as the holiday season was getting started.
This story first appeared in the December 8, 2014 issue of WWD. Subscribe Today.
The Brisbane, Calif.-based specialty-store retailer acknowledged on Friday that customer payment card data were accessed from its payment-processing system from Nov. 8 to Nov. 26, the day before Thanksgiving. The breaches affected customers only at its stores in the U.S., Puerto Rico and the U.S. Virgin Islands and didn’t involve either stores in Canada or the Web site.
The data taken might have included cardholder names, account numbers, expiration dates and verification codes. Bebe declined to specify the number of customers who might be affected. It advised consumers to review recent transaction records and notify banks of any unauthorized activity; the company also offered credit monitoring to customers who made purchases at its stores during the specified dates.
“Our relationship with our customers is of the highest importance,” said Jim Wiggett, chief executive officer of the company. “We moved quickly to block this attack and have taken steps to further enhance our security measures.”
Upon detecting what it termed “suspicious activity” on the computers that operate its payment system, Bebe retained an unidentified computer-security firm to arrest the attack. The company subsequently contacted its payment processor, which is working with credit-card companies to alert the banks whose customers may have had data compromised.
Bebe operates 175 Bebe stores and 35 outlets in the U.S., Canada, Puerto Rico and the U.S. Virgin Islands. Of its physical stores, only the 11 units in Canada weren’t affected by the November breach. Canadian stores typically require credit cards with embedded chips, rather than the easier-to-copy magnetic-stripe cards still used in the U.S., although chip-based cards will become the standard for U.S. retailers next year.
The Bebe breach, first reported on Thursday by KrebsOnSecurity.com, can be added to a long and growing list of cyber attacks that have hit retailers since the mammoth TJX Cos. Inc. attack, which, in 2007, compromised data from about 94 million customers.
Including the TJX incident, more than 200 million payment records have been taken from retailers in the past eight years. Yet, according to the National Retail Federation, retailers account for just 11 percent of hacking incidents versus more than three times that percentage for financial institutions.
Target was hit by a breach that affected about 40 million customers last holiday, as was Neiman Marcus, which saw the compromise of about 1.1 million records. More recently, about 56 million Home Depot customers might have had their credit information stolen.
Despite its disclosure of the cyber attack, Bebe shares on Friday rose 1.8 percent to $2.78.
The difficulty of stopping hackers was dramatized last week when Sony Pictures found that company passwords, Social Security numbers and even film properties were accessed by hackers. Sony has retained the cybersecurity firm FireEye to help safeguard its systems.