Bebe Stores latest victim of a payment card breach

Another big US-based has suffered a card data breach.

According to information initially gathered by Brian Krebs and several banks, Bebe Stores – a women’s retail clothier with 312 stores in the US, Canada, Puertorico, but also in several Asian, Latin American, Middle Eastern countries and Russia – is the common denominator in the shopping history of a number of credit cards that have been used to make fraudulent charges.

Krebs also received information that a East Coast bank has purchased a batch of its customers cards from a seller on the online carders shop Goodshop, and they also discovered that all of the affected users shopped at Bebe Stores located in the US between November 18 and 28.

The card information offered for sale is priced between $10 to $27 per card. It consists of data copied from the magnetic stripe on the backs of credit cards, and can be used to clone the cards.

This type of theft is usually the result of malware surreptitiously deployed on stores’ point-of-sale systems, as evidenced by the Home Depot, Target, Michaels and other breaches that happened in the last year.

The company has confirmed the breach today.

“Based on our investigation to date, we believe the attack was focused on and limited to data from payment cards swiped in our US, Puerto Rico and US Virgin Islands stores during a short window between November 8, 2014 and November 26, 2014. This data may have included cardholder name, account number, expiration date, and verification code,” they shared, adding that purchases made through their website, mobile site/application, in Canada, or their other international stores were not affected.

The company has called in an outside computer security firm in order to block the attack, and they have notified their payment processor, who then shared information about the purchases with credit card companies and banks who issued the compromised cards.

Customers who might be affected by this breach will get free credit monitoring services for one year, and are advised to review their account statements for unauthorized activity, and to inform their bank if they find it.

“Customers can feel confident in continuing to use their payment cards in our stores,” the company states, but to be on the safe side, you might want to wait a bit to do that.

You might have noticed that the compromise period noted by the bank who bought the cards is a bit longer than the one defined by Bebe. It could be a typo, or an indication that the company still hasn’t gotten all the facts straight.

I also wonder if this confirmation/notification would have been published today if Krebs didn’t report on this. Granted, not a lot of time has seemingly passed since the discovery of the breach and the notification, but with holiday shopping in full swing, this news could not have happened at a worst time for the company.