PINDROP BLOG

Vera Bradley Reveals Data Breach at Retail Stores

Vera Bradley, the maker of women’s handbags and accessories, said attackers compromised its payment processing system and were able to steal card data for customers who used cards in the company’s stores from the end of July through late September.

The data breach doesn’t affect cards that were used online and the company hasn’t specified how many users are affected yet. The incident apparently began on July 25 and ended on Sept. 23, and Vera Bradley said in a statement that it was alerted to the compromise by law enforcement on Sept. 15.

“Findings from the investigation show unauthorized access to Vera Bradley’s payment processing system.”

“Payment cards used at Vera Bradley retail store locations between July 25, 2016 and September 23, 2016 may have been affected. Not all cards used during this time frame were affected. Cards used on our website have not been affected,” the statement from Vera Bradley says.

“Findings from the investigation show unauthorized access to Vera Bradley’s payment processing system and the installation of a program that looked for payment card data. The program was specifically designed to find track data in the magnetic stripe of a payment card that may contain the card number, cardholder name, expiration date, and internal verification code – as the data was being routed through the affected payment systems. There is no indication that other customer information was at risk.”

The Vera Bradley breach is the latest in what’s becoming a long line of incidents that involve attacks specifically targeting retailers’ payment processing systems. Target, Home Depot, and many other retailers have experienced similar breaches, often involving the use of malware that sits on point-of-sale systems to harvest card data before it’s encrypted. Vera Bradley officials did not specify which part of its payment processing infrastructure was compromised, but attackers often target the PoS terminals or other front-end systems that handle some form of unencrypted data.

Image from Flickr stream of Jungle Jim’s

Webinar: Call Center Fraud Vectors & Fraudsters Defeated