Cyber Incident Victim: Vera Bradley
Date:
Jul 2016
Location:
United States of America
Summary
A high-end fashion retailer experienced unauthorized access to its in-store payment processing systems, compromising customer payment card data including card numbers, names, expiration dates, and verification codes via malware targeting magnetic stripe information. The breach, detected after law enforcement notification, affected physical retail locations but not online transactions. The company halted the incident, engaged a security firm to investigate and enhance system protections, and coordinated with law enforcement and payment card networks. Customers were advised to monitor accounts for unauthorized activity. The event delayed a planned website upgrade due to reallocated resources. This incident reflects broader trends of point-of-sale system targeting by cybercriminals seeking financial data for fraud.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Vera Bradley, a Fort Wayne, Indiana-based retailer known for its patterned handbags and accessories, disclosed a payment system breach affecting in-store transactions between July 25 and September 23, 2016. Law enforcement alerted the company to potential network security issues on September 15, prompting an internal investigation assisted by a computer security firm. The investigation revealed unauthorized access to Vera Bradley's payment processing systems and identified malware designed to capture payment card data from magnetic stripes during transactions. Compromised data potentially included card numbers, cardholder names, expiration dates, and verification codes. The company confirmed online transactions were unaffected and stated no evidence suggested compromise of other customer information beyond payment card details. Attackers specifically targeted point-of-sale systems in physical retail locations during the two-month intrusion period.
Upon confirming the breach, Vera Bradley terminated the unauthorized access and initiated security enhancements with its cybersecurity partner. The retailer notified customers to review account statements for fraudulent charges and contact card issuers regarding suspicious activity. Collaboration with law enforcement and payment card networks continued post-discovery to support investigations. Operational impacts included the postponement of a planned October 2016 website upgrade, rescheduled for fiscal 2018's first quarter due to resource reallocation toward breach remediation. This incident aligned with broader 2016 trends of POS system compromises affecting U.S. retailers like Eddie Bauer, Wendy's, and multiple hotel chains, where attackers deployed similar card-skimming malware. Security analysts noted POS systems' attractiveness as targets due to the immediate financial payoff from stolen magnetic stripe data, which could enable identity theft or fraud when combined with other breached information. Vera Bradley publicly emphasized its commitment to protecting customer data while acknowledging inconvenience caused by the breach.