Malware infected the point-of-sale systems in all of Eddie Bauer’s stores in the United States and Canada for more than six months this year, stealing payment card data at the company’s 350 stores.
The attack affects an untold number of customers who shopped in the stores between January and mid-July of 2016, but the company said customers who shopped online are not affected. Eddie Bauer officials said the company is working with the FBI on the breach investigation.
“The security of our customers’ information is a top priority for Eddie Bauer,” said Mike Egeck, Chief Executive Officer of Eddie Bauer, in a statement. “We have been working closely with the FBI, cyber security experts, and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts. In addition, we’ve taken steps to strengthen the security of our point of sale systems to prevent this from happening in the future.”
The breach at Eddie Bauer is the latest in a string of very similar incidents at restaurants, hotels, and other retail and hospitality chains. Earlier this week, hotel operator HEI admitted that 20 of the hotels it runs around the U.S. were hit by PoS malware over the course of about 15 months, starting in March 2015. The attack affected Marriott, Sheraton, and other hotels that HEI runs.
“We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network. In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems,” HEI said in a notice to customers.
Eddie Bauer officials said that they believe the attack on the company’s stores was part of a “sophisticated attack” that targeted hotels, restaurants, and retailers. Hackers have been going after PoS and payment card systems for several years, particularly those at retailers and hotels that see a high volume of transactions. The malware used in these attacks typically is designed to capture card data on the terminal before it is encrypted and sent to the back end system.