Bebe Stores Hit By Credit Card Breach

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The women's clothing chain Bebe Stores appears to have suffered a credit card breach, according to investigative reporter Brian Krebs.

Krebs says he recently began hearing from sources at several banks about a pattern of credit and debit card fraud in which all impacted cards had been recently used at one of Bebe's 200 locations across the United States.

A source at an East Coast bank told Krebs that a batch of cards offered for sale earlier this week at the online cybercrime shop Goodshop for $10 to $27 per card had all been used at U.S. Bebe locations between November 18 and November 28, 2014.

"It is not clear if the breach at Bebe stores is ongoing, or if it extends prior to mid-November 2014," Krebs notes.

Krebs also says there's no indication that the apparent breach impacts online purchases. "The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines," he writes.

The stolen data is then sold on cybercrime sites like Goodshop, and used by criminals to create fraudulent cards.

The apparent breach at Bebe follows the same pattern as a series of other point of sale breaches uncovered by Krebs this year, including those at Home Depot, Neiman Marcus and Michaels Stores.

Tod Beardsley, Metasploit engineering manager at Rapid7, told eSecurity Planet that the Bebe breach demonstrates that criminal organizations are getting better at locating and exploiting targets in the retail sector.

"The plain facts are that credit card magnetic stripe systems are embarrassingly old technologies and should be phased with all possible haste, point of sale systems and back-end payment processing systems are not getting sufficient attention from professional information security auditors and practitioners, and major retails generally do not publish or share their lessons learned as a normal part of their breach recovery," Beardsley said. "Until these failures are addressed, there is no reason to think these attacks will slow down any time soon."

Anyone who recently shopped at Bebe, Beardsley said, should review their bank and credit card statements for fraudulent activity, and should contact Bebe customer relations for more information on the reported breach.

"Of course, consumers should also routinely review their bank statements to look for mysterious charges," Beardsley added. "After all, this is unlikely to be the last reported attack on a major retailer."