Bebe Stores confirms breach

Brisbane, Calif. — It’s been a little while since the last report of a major retail data breach, but that period of tranquility is over. Bebe Stores Inc. has confirmed that a cyberattack “focused on and limited to” data from payment cards swiped in its U.S., Puerto Rico and U.S. Virgin Islands stores occured between Nov. 8-26, 2014.



This data may have included cardholder name, account number, expiration date, and verification code. Purchases made through the Company’s website, mobile site/application, or in Canada, or its international stores were not affected.



“Our relationship with our customers is of the highest priority and we recognize the importance of protecting their information,” said Jim Wiggett, CEO, Bebe. “We moved quickly to block this attack and have taken steps to further enhance our security measures.”



Bebe said it has engaged a leading computer security firm and worked with them to block the attack from continuing. The retailer will credit monitoring services for one year at no cost to customers who made a purchase using a payment card at a U.S., Puerto Rico or U.S. Virgin Islands store during the breach time frame.



According to the security blog Krebs on Security, numbers for cards that had been used at Bebe stores in the U.S. between Nov. 18-28 were being offered for sale on an underground website called Goodshop in a “Happy Winter Update” on Dec. 1. Card prices ranged from $10 -$27.