J. Crew Reports Data Breach, One Year Later

Better late than never. Clothing retailer J. Crew revealed an unspecified number of its customers had their online accounts accessed “by an unauthorized party” nearly one year ago, around April 2019.

The company said in a Notice of Data Breach filing on Tuesday with the California Attorney General’s Office that hackers gained access to its customer accounts including the last four digits of credit card numbers as well as the expiration dates, card types, and billing addresses connected to those cards. According to the notice, hackers also accessed order numbers, shipping confirmation numbers and shipment status of those orders. “We do not have reason to believe that the unauthorized party gained access to any additional information within your account.”

J. Crew disclosed, in light of this incident, they disabled a number of customer accounts and will require them to contact the J. Crew customer care center to review their accounts and reset passwords.

Hackers execute account takeover attacks using a variety of methods: leveraging usernames and passwords acquired in previous data breaches; stolen passwords; and brute-force and credential stuffing attacks. The mounting data breaches toll, affecting payment card and other data, provides a full package of individuals’ identifying information.

Ameet Naik, security evangelist at PerimeterX, said, “The hackers in this case were after credit card numbers. They used credential stuffing, also known as account takeover attacks, to gain access to J. Crew’s servers and siphon off this valuable bounty directly from their databases.”

Naik noted hackers typically use automated bots to rapidly try thousands of stolen usernames and passwords until they hit the jackpot or steal credit card information typed directly from a website. “This type of attack, also known as a digital skimming or Magecart attack, is very difficult to detect since it happens on the user’s computer.”

James McQuiggan, security awareness advocate at KnowBe4, said, “Organizations who become breached need to have policies and procedures for handling data breaches involving personal identifiable information and take the necessary steps to inform their customers and the public in an appropriate time frame and not because they were forced due to privacy regulations.”

McQuiggan explained the hacker or hackers got in via credential stuffing because the user accounts had the same password from another breach. “Through a strong security awareness program and culture, people understand the need to change passwords and if a password has been compromised in another breach to not use it again.”

Paul Bischoff, privacy advocate at Comparitech, suggested, “If businesses don’t start forcing users to set up two-factor authentication for logins, then they’ll have little defense against credential stuffing attacks like these.” Bischoff also emphasized credential stuffing attacks succeed because customers reuse passwords across multiple accounts. “While J. Crew cannot force its customers to use unique passwords, it can require them to set up two-factor authentication.”

Retailers are huge targets for bad actors due to the type and amount of data they process, Jonathan Deveaux, head of enterprise data protection at comforte AG, indicated. “They’re looking to retain their existing customers and gain new ones, therefore harvesting data is the key.” Deveaux pointed out years ago, retailers were targets only for their credit card data. Today, they possess a lot of intelligence on their customers, primarily personal information.

Deveaux added the end-customer should really consider using different user IDs and passwords per online account, activating multi-factor authentication, and initiating password refreshes at least monthly. Retailers can consider data protection/privacy solutions such as tokenization or format-preserving encryption to help greatly reduce the likelihood of credential stuffing

Chris Rothe, chief product officer and co-founder of Red Canary, observed, “According to J. Crew, they discovered this through ‘routine and proactive web scanning.’ I read that as they (or a third-party) monitor various places on the internet and dark web and found some of their data. At that point they likely did an investigation to confirm a breach occurred and figured out when.” Rothe maintained the time from when a discovery a breach to when disclosed can be a long time depending on how the investigation’s difficult and sensitivity of the data.