Data gather from a number of financial institutions and at least one underground cybercrime card shop suggest hackers have breached and stolen credit and debit card data from BeBe Store Inc., a nationwide women’s clothing retail chain.
Security expert, Brian Krebs was informed by several banking institutions Thursday that a pattern of fraudulent charges throughout customers payment cards had begun, linking all back to the BeBe clothing retailer.
Banks found that all cards found frauded were used at the BeBe (pronounced “Bee-Bee”) retailer between November 8 through November 26th. As BeBe has since confirmed the credit card breach, the retailer says breached data may include cardholder name, account number, expiration date, and the CVV verification code.
To further verify the breach, one cybercrime shop came out with a dump selling the cards under batch name “Happy Winter Update.” Krebs found each card ranged in price from $10 to $27 per card.
Housed in the “Happy Winter Update” is not the card number, but instead the magnetic strip data on the back of payment cards. Meaning criminals can re-encode or reload the data back onto phony plastic cards and make high-priced purchases at big box retailers. Criminals usually resell the stolen goods for a high-price to maximize profit.
BeBe emphasized their online shop and retailers outside the United States (excluding Puerto Rico) were not affected in the breach. Customers affected in the BeBe data breach have been offered one free year of credit monitoring, as comes usual with any large retailer breach.
“Our relationship with our customers is of the highest importance,” said bebe CEO Jim Wiggett, in a statement. “We moved quickly to block this attack and have taken steps to further enhance our security measures.”
Initial information on the BeBe data breach suggested the store may have suffered an attack ranging through November 28th, or Black Friday. BeBe’s security breach notification notes the retailer cleaned up the malware before November 26, two days before the black Friday frenzy.
As the BeBe breach is still under investigation, details remain scarce.
BeBe was likely hit by a variant of Point-of-Sale malware, a piece of malware that allows criminals to steal payment card data from retailers cash registers or machines customers swipe their card through. BeBe can now add themselves to the long list of breached retailers which includes Home Depot, Target, Kmart, and countless others.