Clothing retailer Bebe has publicly admitted that its payment systems were breached in a security incident last month.
The breach, which occurred Nov. 8-26, involved payment cards used in Bebe stores in the United States, Puerto Rico and the U.S. Virgin Islands and did not impact purchases made in Canada or online. According to Bebe, the data that was stolen may have included cardholder names, account numbers, expiration dates and verification codes.
“Our relationship with our customers is of the highest importance,” Jim Wiggett, CEO of Bebe Stores, said in a statement. “We moved quickly to block this attack and have taken steps to further enhance our security measures.”
With the disclosure, Bebe joins a growing list of retailers that have admitted to breaches over the last year. It’s a list that now includes Michaels, P.F. Chang’s, SuperValu, Dairy Queen, Home Depot, Target and Goodwill, to name a few.
Experts contacted by eWEEK were not surprised that another retailer has come forward to admit a data breach.
“The breach of Bebe for credit card theft is just one example out of thousands faced by U.S. businesses each year,” Lucas Zaichkowsky, enterprise defense architect at Resolution1 Security, said. “Similar attack patterns are observed in most cases with minimal surprises.”
Ian Amit, vice president of ZeroFOX, wasn’t surprised by the breach either. Amit noted that because the hackers were financially motivated, the breach likely only targeted credit card numbers.
At this point, the actual specifics of the Bebe breach, in terms of how many consumers were affected and information on the root cause of the breach, have not yet been publicly revealed. It’s also not known if point-of-sale (POS) malware was involved and, if so, whether the malware is part of a known malware family. The U.S. Secret Service has been warning of the risks of the Backoff POS malware since July and has stated that more than 1,000 retailers have been impacted by the malware.
Kevin Lawrence, senior security associate at Bishop Fox, said the initial notification is fairly vague.
“While Bebe is concerned with its immediate breach and responding rapidly, they may not be addressing the actual cause,” Lawrence said.
The breach notification indicates a November date for the data loss, according to Lawrence, which in his view means that the attacker may have had access at that time and was only detected because of the cards being sold online.
Don’t Blame Bebe
According to Zaichkowsky, Bebe is the victim in the incident and it’s morally wrong to blame victims.
“Their security was probably on par with most other businesses, making them another example of why businesses need to improve their ability to rapidly identify and thwart hacker intrusions in progress, before the damage is done,” Zaichkowsky said.
Bob Stratton, general partner at Mach37, commented that it is time to shift the dialogue from “whom should be blamed?” to “how best can we continue to operate?”
The reality is there are continual attacks from a variety of sources, due to a wide range of motivations, according to Stratton. People don’t fire their family doctors when they catch a cold, he added. And people don’t treat a cold the same way they would treat cancer or a broken leg.
“It is unreasonable that we regard all compromises equivalently or expect that they will never happen,” Stratton said. “What is reasonable to discuss is how we manage information security risks in a continuing, adaptive way.”
Lawrence echoed Stratton’s view, adding that the reality is there will always be holes in security.
“For every IT security practitioner, there are dozens or even hundreds of attackers,” Lawrence said. “Security is about slowing down the attackers and making it take longer for them to succeed, while simultaneously increasing the ability to detect them, as they are attempting an attack.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.