Malware installed at point-of-sale (POS) systems has been stealing credit card data from Brooks Brothers for a year, the clothing giant revealed in a Breach Advisory Notice (PDF).
The New York-based clothier and retailer states that it only found out about the incident recently. It states that an “extensive” forensic investigation points to an unauthorized individual gaining access to and installing malicious software designed to capture payment card information on some payment processing systems at their retail and outlet locations.
It looks like the number of affected stores in the US and Puerto Rico is 223, as Brooks Brothers has published this searchable list of affected locations.
During the period of April 2016 til March 2017, the POS malware was able to record and export customers’ names, card numbers, expiration dates, and verification codes: all the information necessary to make fraudulent online payments.
They stated that the company’s website wasn’t hit by the breach. In their advisory, the company said that the issue “has been resolved and is no longer impacting transactions”.
Once we learned of this incident, we took immediate action including initiating an internal review, engaging independent forensic experts to assist us in the investigation and remediation of our systems and alerting law enforcement.
Brooks Brothers declined to give information on the number of customers and credit cards that has been compromised during the breach period, but similar breaches at retailers such as Home Depot, resulted in millions of affected consumers.
As always, it is prudent to keep an eye on your card statements for anything unusual, and Brooks Brothers has also provided a reference guide, Information About Identity Theft, which includes recommendations from the Federal Trade Commission regarding identity theft protection.