Data Breach at Vera Bradley Stores

by Raymond Pucci 0

Another week—another data breach—this time at accessories merchant Vera Bradley. The retailer’s 166 store payment processing system was compromised this past summer via unauthorized access, as the following article describes.

Ladies’ handbag stalwart Vera Bradley is investigating a data breach. The company said that the issue took place over the summer and affected its 122 stores and 44 outlets. An investigation of the hack revealed unauthorized access to Vera Bradley’s payment processing system and the installation of a program that looked for payment card data.

The program was specifically designed to find track data in the magnetic stripe of a payment card that contains the card number, cardholder name, expiration date and internal verification code, as the data was being routed through the affected payment systems.
Some cards used at Vera Bradley store locations between July 25 and Sept. 23 may have been affected. Cards used online were not at risk.

Vera Bradley, which is known for its distinctive, brightly colored and quilted bags, said law enforcement had notified it of a potential data-security issue on Sept. 15—the company immediately launched an investigation, stopping the data breach a little over a week later.

“Retailers need to do everything they can to protect their customers’ data; this means deploying the latest developments in endpoint protection and secure web gateways that actually prevent breaches through the most advanced methods available to the industry today,” John Peterson, vice president and general manager, Comodo, said via email. “When it comes to retail breaches, customers need to be aware of their exposure. They should keep a close eye on accounts that may be impacted and report any suspicious behavior on those accounts.”

It’s not clear whether Vera Bradley stores had converted to EMV cards, but chip cards are not a foolproof in-store fraud fighting solution. Back-end payments servers and systems can still be hacked to access cardholder records regardless of the type of payment card being used. At the Black Hat security conference earlier this year, news surfaced that some malware could be installed in POS terminals that could trick the system to not recognize the chip card and to instead read the more vulnerable magnetic stripe data instead. Cardholders are usually the last to know about these data breaches, and by then it’s too late.

Overview by Raymond Pucci, Associate Director, Research Services at Mercator Advisory Group

Read the full story here