Malware installed at point-of-sale (POS) systems has been stealing credit card data out of Brooks Brothers for a year, the clothing giant said in a breach advisory (PDF).
The New York-based retailer says that it only found out about the incident recently. It says that an “extensive” forensic investigation points to an unauthorized individual gaining access to and installing malicious software designed to capture payment card information on some payment processing systems at retail and outlet locations.
Hundreds of stores in the US and Puerto Rico have been affected. Brooks Brothers has published this searchable list of 223 affected locations.
Between April 2016 and March 2017, the POS malware was siphoning off customers’ names, card numbers, expiration dates, and verification codes: all the information necessary to make fraudulent online payments.
When contacted by ZDNet, Brooks Brothers declined to state how many customers may have been affected.
The company’s website wasn’t hit by the breach. In its advisory, the company said that the issue “has been resolved and is no longer impacting transactions”.
Once we learned of this incident, we took immediate action including initiating an internal review, engaging independent forensic experts to assist us in the investigation and remediation of our systems and alerting law enforcement.
We may not know how many cards got ripped off in this particular POS malware hit, but similar attacks have been big and nasty.
Home Depot, for example, suffered $62m in losses after 56m credit cards were exposed a few years back.
Part of that cost was the free credit report monitoring services that Home Depot offered to those affected: a service that many businesses have offered in the wake of POS malware attacks.
Brooks Brothers has warned customers to keep an eye on their card statements for anything unusual, and has also provided a reference guide, Information About Identity Theft, which includes recommendations from the Federal Trade Commission regarding identity theft protection.