NEW YORK — Digital agency Createthe Group is said to be investigating a possible data security breach involving a number of its luxury, fashion and retail clients.
This story first appeared in the March 26, 2014 issue of WWD. Subscribe Today.
The breach has allegedly affected clients operating on the firm’s CTS e-commerce platform, which in the past has been used by the likes of Marc Jacobs, Donna Karan, Oscar de la Renta, DKNY and David Yurman.
It could not be learned if any of these firms were involved in the alleged breach, and spokesmen for Marc Jacobs, Oscar de la Renta and Donna Karan declined to comment. Createthe Group denied any breach of security on its platforms. A company spokesman said, however, that the firm has “proactively engaged Pen Test Partners, an approved PCI Forensic Investigator company, to conduct a comprehensive examination to ensure that there has been no intrusion to the CTS Platform and to support the ongoing security of the CTS Platform.”
According to a source, Createthe Group sent an e-mail to clients in January notifying them that certain brands it works with had hired firms to do audits of their systems and platforms — including Createthe Group’s own. Because of this, the agency said, it was also starting a full review of its systems. Createthe Group sent another e-mail earlier this month that said servers may have been compromised and that it wanted to meet with clients.
On March 13, Createthe Group said via e-mail that it would begin the process of retiring its CTS platform — exiting the e-commerce platform business altogether.
“This decision was based on a variety of market forces, including the saturated nature of the e-commerce platform market and the allocation of time, resources and funding necessary to assure that CTS Platform remains cutting-edge for the foreseeable future,” the e-mail stated, ensuring that the full service agency will continue to offer “cutting edge services.”
For Createthe Group, a data breach would be the latest in a series of travails over the last few months, beginning with the dismissal of its cofounder and former chief executive officer James Gardner in August.
Considered a pioneer in the digital luxury space, Createthe Group’s services span brand strategy, design, content, e-commerce and marketing. It boasts a diverse client roster, having worked with firms such as Burberry, Alexander Wang, Nowness, H&M, Tom Ford, Calvin Klein, De Beers, Harry Winston and Kate Spade New York.
Failure to grow the company’s proprietary e-commerce software, CTS, was among the factors blamed for Gardner’s exit.
Createthe Group shuttered its London office earlier this month, and a founding member of the team and technology director based in London, Albert Kang, left as well.
A source close to the company said investors have been looking for someone to run the company and “bring it back” since Gardner’s departure — but still have yet to find a replacement. Jamey Hargreaves of the U.K.-based Hargreaves family, which five-years-ago invested $12 million into the firm, has served as acting ceo.
If a breach of Createthe Group’s systems has taken place, it would be the latest in a string of such incidents that have hit retailers from Neiman Marcus to Target to Michaels Stores. In January, Neiman Marcus disclosed a security breach that it said could have impacted 1.1 million payment cards.
In December, Target Corp. disclosed a massive breach that may have affected up to 110 million consumers. Originally the number was thought to be 40 million, but the retailer subsequently revealed that another 70 million customers potentially could have had credit or debit information stolen. News stories on Tuesday quoted a Senate Commerce Committee report that said Target missed opportunities to prevent its data security breaches.
On Tuesday, the Senate Commerce, Science and Transportation Committee released a staff report alleging that Target potentially missed several opportunities to prevent the massive data security breach that affected as many as 110 million of its customers.
According to the report, Target gave network access to a third-party vendor with “weak security,” which “allowed the attackers to gain a foothold in Target’s network”; failed to respond to multiple automated warnings from the company’s “anti-intrusion software” signaling that hackers were installing malware on its system; failed to isolate its most sensitive networks, and failed to respond to multiple warnings on its software regarding the “escape routes” the cyber attackers planned to use to steal the data from Target’s network.
Target publicly confirmed that 40 million credit and debit card accounts had been exposed in a breach on Dec. 19, and officials testifying in hearings before Congress said they were not aware of a breach until contacted by the Department of Justice on Dec. 12.
“For nearly a decade, we’ve had major data breaches at companies both large and small. Millions of consumers have suffered the consequences,” said Sen. John D. Rockefeller (D., W.V.). “While Congress deserves its share of the blame for inaction, I am increasingly frustrated by industry’s disingenuous attempts at negotiations. It’s time for industry to work with us on legislation that reinforces the basic protections American consumers have a right to count on.”
Rockefeller, chair of the committee, is holding a hearing today titled “Protecting Personal Consumer Information from Cyber Attacks and Data Breaches.” Officials from Target, Visa and the Federal Trade Commission are set to testify at the hearing.
Rockefeller is the cosponsor of legislation that would establish a federal data breach notification standard.