Clothing brand J.Crew Group Inc. disclosed a data hacking incident that compromised the information of customers dated in April 2019.
In an incident filing last Tuesday, March 3, the company said an unauthorized party gained access to the customer accounts around April last year. With the California attorney general, J.Crew said the hacker was able to obtain personal information of online accounts, including credit cards and types, payment card numbers, expiration dates, and associated billing addresses.
Additionally, the data containing the order numbers of customers as well as shipping statuses were obtained. J.Crew spokesperson said the hacker used a credential stuffing technique to get to the login info and automatically access data.
According to the data breach notice, the company recently discovered the incident after conducting a routine and proactive web scanning. The retail giant did not disclose the number of customers affected but it only said ‘a small number’ in the notice. Tech Crunch reports that the indicated small number is fewer than 10,000 customers.
J.Crew also conducted an action to de-activate pending account password reset and telephone calls. Moreover, the company notified all customers to change their passwords as added protection from hackers.
The brand spokesperson said, “Out of an abundance of caution, we promptly notified potentially affected customers. We take security-related matters seriously and are committed to ensuring our customer’s personal information remains secure.”
Upping the Bar for Security
Data security analysts believe that this incident can serve lessons not just to customers doing online shopping but to retailers as well. Senior security strategist Jonathan Knudsen said retailers with a valuable number of customers must consider ‘upping the bar with two-factor authentication.’
“First, credential stuffing is an attack where previously leaked lists of user names passwords are used to gain unauthorized access to systems. Knowing this, the best course of action is to practice good password hygiene. Don’t re-use the same password across multiple sites, and make sure you are using a strong password that cannot be easily guessed,” said Knudsen.
Knudsen also criticized J.Crew for failing to report the incident immediately and took a year before informing customers. “What other attacks, involving your personal information, might have already occurred without your knowledge?” said Knudsen.
Prior to this data breach incident, retailer J.Crew had been hit by another data hacking issue in 2018, exposing the personal customer financial data.