Bebe Stores Admits Hackers Stole Customer Credit Card Data

Bebe Stores, Inc., has confirmed reports that customer payment card data has been compromised after a malicious actor breached the company’s payment processing systems.

The women’s clothing retailer operates over 300 stores across the United States, the U.S. Virgin Islands, Puerto Rico and Canada. However, the company believes only customers who swiped their cards at payment terminals in the U.S., Puerto Rico and the Virgin Islands are affected. The website, mobile application, and Canadian stores are not impacted by the data breach, Bebe Stores said in a statement on Friday.

The investigation is ongoing, but Bebe Stores believes the attackers had access to cardholder names, account numbers, expiration dates and verification codes only between November 8 and November 26. This timeframe is small compared to other recent incidents in which the cybercriminals had access for several months.

The retailer said the attack was blocked with the aid of a “leading” security company, and is confident that customers can now safely use their payment cards to pay at Bebe stores.

“Our relationship with our customers is of the highest importance,” stated Jim Wiggett, the CEO of Bebe Stores. “We moved quickly to block this attack and have taken steps to further enhance our security measures.”

Bebe Stores’ payment processor is working with credit card companies to prevent fraud. Customers affected by the data breach can request credit monitoring services for which the retailer will cover the costs for a period of one year.

Fraudsters use the stolen data to create counterfeit credit cards and purchase high-value items, which they quickly sell for a profit. That is why potential victims of this incident are advised to keep an eye out for any unauthorized activities on their payment card.

Security blogger Brian Krebs was the one who broke the news last week. An East Coast bank informed Krebs that it had purchased payment card data belonging to several of its customers from a relatively new carding website. The data was sold for between $10 and $27 per card.

It’s uncertain at this point how many cards have been compromised in the Bebe Stores incident, but it’s probably far less than the number of cards exposed in the recent Home Depot breach. In the case of Home Depot, the attackers had access to the company’s systems from April to September and they managed to obtain the details of 56 million payment cards. The hackers also grabbed 53 million customer email addresses.