Guess is sending alerts of a February hacking episode that may have provided unauthorized access to data including Social Security and financial account numbers.
According to Bleeping Computer, the global specialty apparel brand recently notified potentially affected customers that there was “unauthorized access to certain Guess systems between February 2, 2021 and February 23, 2021.”
On May 26, 2021, Guess said the investigation determined that personal information that may have been accessed or acquired by an “unauthorized actor” could include Social Security numbers, driver’s license numbers, passport numbers and/or financial account numbers. Work to identify the addresses of customers who may have been affected was completed June 3, 2021, and Guess started mailing notification letters on July 9, 2021.
Guess is offering customers who may have had data exposed a complimentary one-year membership in Experian credit monitoring and identity theft protection services, and has established a dedicated call center. The company said it has also implemented additional network security measures and strenghtened existing security protocols.
Bleeping Computer reports information filed with the office of the Maine state Attorney General indicates that personal information of over 1,300 people was exposed in the incident. In its letter to potential victims of the breach, Guess said that four Maine residents may have had personal data exposed and that it objects to Maine having any personal jurisdiction regarding claims relating to the incident.
In April 2021, Databreaches.net reported that Russia-based ransomware group DarkSide, believed to be responsible for the widely publicized Colonial Pipeline shutdown in May 2021, had listed Guess as one of its victims on a data leak site. DarkSide is thought to have shut down operations following the pipeline attack.
Erich Kron, security awareness expert at security awareness training platform KnowBe4, told Chain Store Age retailers need to carefully evaluate what type of customer data they digitally maintain.
“Although the Darkside ransomware group is out of commission, that does not mean this breach is insignificant,” said Kron. “The significant amount and very personal types of data being collected by the organization, including passport numbers, Social Security numbers, driver’s license numbers, financial account and/or credit/debit card numbers with security codes, passwords or PIN numbers, is an extremely valuable dataset for cyber criminals if they want to steal identities. For this reason, unlike it appears in this case, organizations are wise to limit the amount of data kept and stored in systems.”