Retailer Vera Bradley warned customers on Wednesday of a compromise of its point-of-sale system that allowed hackers to make off with an undisclosed number of credit card records. The breach impacts only retail customers who shopped at one of 159 Vera Bradley locations between July 25 and Sept. 23.
“Cards used on our website have not been affected,” said Julia Bentley, VP of investor relations and communications in an email interview with Threatpost. Vera Bradley has not received any reports from customers of suspected fraudulent bank card activity, Bentley said.
In a statement to its website Vera Bradley said that hackers gained access to its payment processing system and installed a malware program that looked for and collected payment card data.
“The program was specifically designed to find track data in the magnetic stripe of a payment card that may contain the card number, cardholder name, expiration date, and internal verification code as the data was being routed through the affected payment systems,” according to the statement.
Bentley said not all cards used during the time its PoS system was compromised are affected. She added that attackers targeted just bank card data and not other personal information, such as account usernames and passwords, birth dates and Social Security numbers.
Vera Bradley said it was made aware of the cyberattack on Sept. 15 when law enforcement contacted the company regarding a “potential data security issue related to (its) retail store network.” Bentley said Vera Bradley contacted FireEye’s incident response team Mandiant to help mitigate the security breach.
Vera Bradley joins a number of retailers also hit by cyber criminals targeting PoS systems this past year.
In March, fast-food chain Wendy’s disclosed it was a victim of a point-of-sale system attack that installed malware on PoS computers affecting 300 franchise restaurants. In June, both the Hard Rock Hotel and Casino Las Vegas and the Noodles & Company fast food chain announced separate breaches that include unauthorized access to credit card data. In August, Eddie Bauer confirmed a breach of its payment card system in the US and Canada.
Several hotel chains, including Kimpton Hotels and Restaurants – a chain of 62 boutique hotels – and HEI Hotels and Resorts – which counts hotel chains like Westin, Marriott, and Sheraton – announced this summer they’ve been hit by payment card malware.
In August, Oracle was forced to issue a password change on its MICROS point of sale systems. Hackers, allegedly associated with the Carbanak Gang embedded code on the MICROS support site, allowing them to steal usernames and passwords from customers logged in a support website.
