American clothier The Buckle has suffered a major data breach after hackers infected its stores' cash registers with a malicious malware designed to steal customer credit card data for months. The retailer confirmed the cyberattack on Friday saying point-of-sale (PoS) malware was found installed on "certain" Buckle retail stores and believes customers who used payment cards in its stores between 28 October 2016 and 14 April 2017 were possibly affected.
However, Buckle said it believes that the malware did not steal data from all transactions or all PoS systems for each day within that time frame. The retailer said the malicious code was "quickly removed" and it has launched an investigation into the breach.
"We became aware that The Buckle, Inc. was a victim of a security incident in which a criminal entity accessed some guest credit card information follow purchases at some of our retail stores," the firm said in a statement.
"Based on the forensic investigation, we believe that no social security numbers, email addresses or physical addresses were obtained by those criminally responsible."
It noted that there is no evidence that its online website and customers were impacted by the breach.
"All Buckle stores had EMV ("chip card") technology enabled during the time that the incident occurred and we believe the exposure of cardholder data that can be used to create counterfeit cards is limited," the retailer said. "However, it is possible that certain credit card numbers may have been compromised."
The malware copied account data stored on the magnetic stripe on payment cards such as cardholder names, card numbers and expiration dates.
"Armed with that information, thieves can clone the cards and use them to buy high-priced merchandise from electronics stores and big box retailers," security blog KrebsOnSecurity, who first reported the breach, wrote.
KrebsOnSecurity contacted The Buckle after receiving multiple tips from sources in the financial industry regarding a pattern of payment card fraud. The company disclosed the breach less than 24 hours later.
"The trouble is that not all banks have issued chip-enabled cards, which are far more expensive and difficult for thieves to counterfeit," KrebsOnSecurity explains. "Customers who shopped at compromised Buckle stores using a chip-based card would not be in danger of having their cards cloned and used elsewhere, but the stolen card data could still be used for e-commerce fraud."
Buckle has launched an investigation into the breach and is working with "leading third-party forensic experts" to review its systems and secure the affected part of its network.
In response to the breach, Buckle also blocked connections between its network and any potentially malicious external IP addresses, isolated any possibly compromised systems and removed malware-related files on its systems.
However, it has not revealed how many customers and retail stores were affected in the breach or named any suspected perpetrators behind the attack.
"We take the protection of payment card data very seriously," the company said. "We are cooperating fully with card brands and forensic investigation services.
It advised customers to monitor their payment card statements for any suspicious, unauthorised activity and report any such cases to their bank or credit card company.