Report: Guess breach may have exposed data

Guess is sending alerts of a February hacking episode that may have provided unauthorized access to data.

According to Bleeping Computer, the global specialty apparel brand recently notified potentially affected customers that there was “unauthorized access to certain Guess systems between February 2, 2021 and February 23, 2021.” The report indicates this data could include Social Security numbers, driver's license numbers, passport numbers and/or financial account numbers.

However, in an official statement emailed to Chain Store Age, Guess disputed several key aspects of the Bleeping Computer article. Most significantly, a Guess spokesperson said that while a few customers may have had data exposed, the breach overwhelmingly affected employees and contractors, and did not include sensitive personal or financial information.

"Guess Inc. recently concluded an investigation into a security incident that involved unauthorized access to certain systems on Guess Inc.’s network," the company said in the statement. "We engaged independent cybersecurity firms to assist in the investigation, notified law enforcement, notified the subset of employees and contractors whose information was involved and took steps to enhance the security of our systems. The investigation determined that no customer payment card information was involved. This incident did not have a material impact on our operations or financial results." 

According to Bleeping Computer, Guess is offering individuals who may have had data exposed a complimentary one-year membership in Experian credit monitoring and identity theft protection services, and has established a dedicated call center. 

Bleeping Computer reports information filed with the office of the Maine state Attorney General indicates that personal information of over 1,300 people was exposed in the incident. In a letter that Guess reportedly sent to potential victims of the breach, it said that four Maine residents may have had personal data exposed and that it objects to Maine having any personal jurisdiction regarding claims relating to the incident.

In April 2021, Databreaches.net reported that Russia-based ransomware group DarkSide, believed to be responsible for the widely publicized Colonial Pipeline shutdown in May 2021, had listed Guess as one of its victims on a data leak site. DarkSide is thought to have shut down operations following the pipeline attack.

Erich Kron, security awareness expert at security awareness training platform KnowBe4, told Chain Store Age retailers need to carefully evaluate what type of customer data they digitally maintain. As noted previously, Guess says it does not store personal customer data such as financial account or Social Security numbers and that this breach almost exclusively impacted employees and contractors.

“Although the Darkside ransomware group is out of commission, that does not mean this breach is insignificant,” said Kron. “The significant amount and very personal types of data being collected by the organization, including passport numbers, Social Security numbers, driver's license numbers, financial account and/or credit/debit card numbers with security codes, passwords or PIN numbers, is an extremely valuable dataset for cyber criminals if they want to steal identities. For this reason, unlike it appears in this case, organizations are wise to limit the amount of data kept and stored in systems.”