Report: Hackers may have obtained North Face customer data

The North Face is reportedly notifying customers of a breach that may have exposed information from their accounts with the retailer.

According to Infosecurity, vertical outdoor apparel retailer The North Face is alerting online accountholders of a “credential stuffing” attack on its e-commerce site. In credential stuffing, hackers automatically try to log into consumers’ accounts on different sites by using password data from another site. Consumers who reuse passwords for more than one site are left vulnerable to unauthorized access.

Infosecurity excepted an email The North Face sent to potentially affected customers, which said in part, “Based on our investigation, we believe that the attacker obtained your email address and password from another source and may have accessed the information stored on your account at thenorthface.com.”

The email lists possible pieces of exposed information as including first and last name, birthday, telephone number, products purchased and/or saved to “favorites,” billing and shipping address(es), customer loyalty point data, and email preferences. The North Face tokenizes customer payment card data, making it inaccessible in this type of security breach, but has deleted all tokenized information from its site since the attack.

The retailer also reportedly limited site log-ins from what it deems “suspicious” sources and deleted any user passwords which may have been compromised in the attack. Customers will have to re-enter payment card data and create new passwords – The North Face is advising them to not re-use any password from a different site.

In addition, The North Face reportedly notified the California attorney general’s office (the retailer is based in Alameda, Calif.) of a “brute force” attack being launched against its e-commerce site during the period of Thursday, Oct. 8 – Friday, Oct. 9.

Mike Puglia, chief strategy officer at IT management software provider Kaseya, advises online retailers to maintain payment card compliance by implementing corporate cybersecurity standards.

“First and foremost, retailers must ensure they are complying with the Payment Card Industry Data Security Standard (PCI DSS), said Puglia. “Compliance with these standards helps retailers protect payment card data by restricting physical and digital business access to cardholder data and requiring multi-factor authentication for all non-console administrative access.” 

Ruston Miles, founder and advisor of payment/data security technology vendor Bluefin, said defensive measures like encryption and tokenization of sensitive data can also prove valuable in fighting cyberfraud.

“Retailers need to operate under the assumption that every wall has its gaps,” said Miles. “Eventually, a hacker will break through and unless you’ve made your data useless to hackers, a compromise is likely to occur.