Industry News

Data breach: U.S. retailer J.Crew reveals 2019 security incident to customers

J.Crew suffered a credential stuffing attack that may have compromised the personal data of customers, the U.S. clothing retailer disclosed earlier this week. Fraudulent activity was apparently noticed last spring, but the firm did not reveal the number of compromised accounts on their website.

In a data breach notice sent to shoppers, the company states that “through routine and proactive web scanning, we recently discovered information related to your account. Based on our review, we believe your email address (used as your username) and password were obtained by an unauthorized party and in or around April 2019 used to log into your account.”

It’s unclear why it took the company almost a year to notify users, but studies show it takes an average of 197 days to identify a data breach. Although the number of victims was not revealed, California law obliges companies to send out security breach notices only if the incident affected more than 500 residents. It’s is safe to assume the number of victims falls above that, potentially by an order of magnitude.

Data breaches appear to be common events these days. Find out more about how you can regain control of your personal information with Bitdefender’s Digital Identity Protection

On top of the compromised email addresses and passwords, the threat actor could have accessed additional information stored on the account, including the last four digits of credit card numbers, expiration dates, card types, billing addresses, order number and shipping confirmation numbers, along with order status. In attempt to minimize the damages, the company disabled the accounts marked with suspicious activity, and asked users to reset their login passwords.

Data breaches and data leaks often take a long time to discover. Don’t rely solely on corporate notification emails – a company can’t notify you of a data breach or security incident unless they know about it. As with any such leak incident, you should start changing the password for all of your accounts, and by no means should you recycle any old passwords just because it’s easier for you to memorize. Should you find it difficult, you can always use a passwords manager. Don’t forget to keep your security solution up to date and monitor all your online accounts for suspicious activity. It’s always a good idea to enable 2FA (two-factor authentication) for all of your e-commerce and social media websites. If somebody tries to access your account, you’ll be notified of any questionable activity so you can take immediate action.

About the author

Alina Bizga

Alina has been a part of the Bitdefender family for some years now, as her past role involved interfacing with end users and partners, advocating Bitdefender technologies and solutions. She is a history buff and passionate about cybersecurity and anything sci-fi. Her spare time is usually split between her two feline friends and traveling.