Update: Bebe Stores confirms first holiday season data breach

Story originally published Dec. 5. Updated on Dec. 6 after Bebe issued a statement confirming the breach.

In what some may predict to be the first of a group of retail data breaches, women’s clothing store Bebe confirmed it was the victim of a payment card breach.

“Our relationship with our customers is of the highest importance,” said Jim Wiggett, Bebe CEO, in a statement. “We moved quickly to block this attack and have taken steps to further enhance our security measures.”

Bebe said its investigation, led by a security firm it hired after detecting “suspicious activity” in its point-of-sale systems, has revealed payment cards swiped in its US, Puerto Rico and Virgin Islands stores were exposed from November 8 to November 26 but customers “can feel confident in continuing to use their payment cards in our stores.”

The data exposed “may have included cardholder name, account number, expiration date, and verification code,” said Bebe, which did not indicate how many cards could be affected.

Bebe’s website or stores in Canada were not affected, continued the retailer, who said it was offering credit-monitoring services to potentially affected customers for one year.

The breach was first reported by cybersecurity journalist Brian Krebs on his blog KrebsOnSecurity after hearing from financial institutions about “a pattern of fraudulent charges on customer credit cards that all had one thing in common: the cards were recently used at Bebe locations across the country.”

Krebs has broken retail data breach stories at Target, Home Depot, Michaels, Neiman Marcus and others.

Breaches at these retailers were similarly done using malicious software in the stores’ point-of-sale systems.

“We have notified our payment processor, which is working with the credit card companies to provide them with the account numbers for cards used during the period at issue so that the banks that issued those cards can be alerted,” Bebe said.