Buckle is a denim-centric clothing store that sells “medium to better–priced” clothes for men and women. It may not be a household name, but there’s probably a store near you, with around 450 locations in 44 states. The chain admitted over the weekend that its payment systems were infected with malware from Oct. 2016 to April 2017, potentially compromising customers’ payment card data.
The ever-alert Krebs on Security learned about a possible breach from contacts at banks and credit card companies, who reported a pattern of fraudulent transactions on cards that also happened to be used at Buckle stores recently. The retail chain made a public announcement detailing how its in-store point of sale systems were infected with malware.
“All Buckle stores had EMV (“chip card”) technology enabled during the time that the incident occurred and we believe the exposure of cardholder data that can be used to create counterfeit cards is limited,” the retailer explained in its statement.
The company believes that no Social Security numbers, email addresses, or street addresses were obtained by the fraudsters, but that still means that for some customers, they have enough information to create cloned cards or to attempt e-commerce fraud with the ill-gotten information.
However, if your bank still hasn’t switched to a chip-based system, or if you passed your card through the magnetic swipe reader due to forgetfulness or a defective chip, that means the malware crooks may have harvested your card information.
If you shopped at a Buckle store between October and April, keep a careful eye on your credit or debit card statements for transactions that don’t belong, and report them to your bank or card issuer immediately.