Clothing store chain Eddie Bauer has said that its US retail stores' point-of-sale (PoS) systems were infected with malware earlier this year, potentially giving hackers access to customers' payment card information.
Following an investigation, the company said its customers' payment card information used at its retail stores between 2 January and 17 July this year "may have been compromised". However, not all customer transactions made during this period were affected, the company noted.
Customers shopping online during the same period were not impacted either, the company added.
The Bellevue, Washington-based company said the breach was "part of a sophisticated attack" targeting various different hotels, restaurants and retailers.
"The security of our customers' information is a top priority for Eddie Bauer," CEO Mike Egeck said in a statement. "We have been working closely with the FBI, cyber security experts and payment card organisations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts. In addition, we've taken steps to strengthen the security of our point of sale systems to prevent this from happening in the future."
The clothing chain also said it was offering identity-protection services to all customers who made purchases or returns at its stores during the period and was notifying customers whose payment card information may have been accessed. However, the company did not specify how many customers were possibly affected.
In a blog post published on Friday (19 August), cybersecurity expert Brian Krebs said the acknowledgement of the malicious malware that infected point-of-sales systems at all of its over 350 stores across North America came almost six weeks after his blog, KrebsOnSecurity, informed the company about a possible breach.
Krebs said he heard from "several sources who work in fighting fraud at US financial institutions" that a pattern of fraudulent charges on cards used at Eddie Bauer stores stretching back to January 2016 had been identified.
"Given the volume of point-of-sale malware attacks on retailers and hospitality firms in recent months, it would be nice if each one of these breach disclosures didn't look and sound exactly the same," the blog post reads. "For example, in addition to offering customers the predictable and irrelevant credit monitoring services topped with bland assurances that the 'security of our customers' information is a top priority', breached entities could offer the cyber defenders of the world just a few details about the attack tools and online staging grounds the intruders used."
"That way, other companies could use the information to find out if they are similarly victimised and to stop the bleeding of customer card data as quickly as possible."
The latest announcement follows a series of high-profile data breaches including a cyberattack on 20 hotels run by HEI Hotels and Resorts, including Marriott, Hyatt and Starwood, earlier this month that targeted PoS systems as well. Oracle's Micros PoS systems were also attacked the same month in a breach allegedly carried out by Russia-based cybercrime group Carbanak Gang.