Cyber Incident Victim: Brooks Brothers

In April 2017, Brooks Brothers disclosed a payment card data breach affecting customers at select U.S. and Puerto Rico retail locations. The incident involved unauthorized access to payment processing systems between April 4, 2016, and March 1, 2017—an 11-month compromise period. Attackers installed malicious software specifically designed to capture payment card information during transactions. The breach impacted customers who made purchases at certain Brooks Brothers and Brooks Brothers Outlet stores during this timeframe, though the company did not specify the exact number of affected locations or individuals. Compromised data included customer names, payment card account numbers, card expiration dates, and card verification codes used at point-of-sale systems. Notably, the malware did not access sensitive personal information such as Social Security numbers or customer addresses according to the company's investigation.

Brooks Brothers discovered the breach through unspecified means and subsequently engaged independent forensic experts to investigate the incident while alerting law enforcement authorities. The company confirmed the malware's functionality was limited to intercepting payment card data during transaction processing at compromised retail locations. With over 400 global stores at the time, the breach was contained to an undisclosed subset of U.S. and Puerto Rican outlets. The retailer did not publicly disclose detection methods, containment procedures, or whether the intrusion vector involved remote access, insider threats, or physical tampering. No evidence suggested data misuse occurred prior to disclosure, though the company did not offer details about customer notification timelines or remediation services such as credit monitoring. The disclosure occurred over a year after the breach began and one month following its apparent containment in March 2017.