Cyber Incident Victim: The Buckle Inc.

The Buckle Inc., a clothing retailer operating over 450 stores across 44 U.S. states, disclosed a point-of-sale malware incident on June 16, 2017, following inquiries from KrebsOnSecurity. Financial sector sources had alerted KrebsOnSecurity to patterns of fraud indicating a potential breach, prompting direct contact with the company earlier that day. Buckle confirmed malicious software was installed on cash registers in its retail locations, with data theft occurring from October 28, 2016, through April 14, 2017. The malware specifically targeted magnetic stripe data from payment cards used at compromised registers, though online purchases through Buckle's e-commerce platform remained unaffected. While all Buckle stores utilized EMV-capable terminals capable of processing chip cards, the malware exploited vulnerabilities in magnetic stripe transactions. This allowed attackers to clone cards for in-person counterfeit fraud at merchants still reliant on magnetic stripe processing.

The breach exposed customers using magnetic stripe cards to significant fraud risks, particularly affecting those whose financial institutions had not yet issued chip-enabled replacements. Though chip card users faced reduced cloning risks, their stolen data remained vulnerable to card-not-present fraud in online transactions. Industry context revealed broader challenges during the U.S. EMV transition, with Visa reporting 421 million chip cards (58% of its portfolio) circulating by March 2017 and counterfeit fraud decreasing 58% year-over-year at chip-enabled merchants. The incident mirrored fraud pattern shifts observed globally during EMV adoption, where counterfeit card fraud declined while e-commerce fraud rose 33% in 2016 according to Experian data. Buckle's disclosure highlighted persistent security gaps despite EMV infrastructure readiness, as delayed bank card upgrades and merchant adoption timelines extended vulnerabilities to legacy payment technologies.