Bad news for Vera Bradley shoppers; the handbag and accessories retailer announced that hackers may have accessed customer data from its in-store POS systems, including card numbers, cardholder names, expiration dates and internal verification codes. The breach occurred between July 25, 2016 and Sept. 23, 2016.
While the retailer, which operates 156 stores, doesn’t know the exact number of cards affected, it revealed that cards used to make purchases on the brand’s e-Commerce site were not targeted. The breach has caused a delay in the launch of Vera Bradley’s new web site, and this may dampen its holiday season sales and “impact its ability to generate positive comparable sales growth” in the fourth quarter ending on Jan. 31, according to a company statement.
Vera Bradley is currently working with cyber security firm FireEye to improve its security.
Advertisement
According to George Rice, Senior Director of Payments for HPE Security – Data Security, who has no affiliation with Vera Bradley, said that a breach from a POS terminal can happen to almost any retailer. “A POS terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data,” he said.
Businesses can avoid these types of attacks with methods such as Format-Preserving Encryption, which “neutralize data from breaches either at the card reader, at the point of sale, in person or online,” said Rice.
“Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.2 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organization handling card payment data,” he added.
Retailers large and small are not immune to data breaches. Recently, Home Depot was required to pay customers impacted by its 2014 data breach $19.5 million in settlement. Additionally, computer systems at MICROS, a POS vendor, were also compromised — with the rumored involvement of Russian cybercriminals.
