Cyber Incident Victim: Sheplers

In September 2014, Western wear retailer Sheplers disclosed unauthorized access to its payment systems, potentially exposing customer payment card information. The breach impacted customers who used credit or debit cards at Sheplers retail locations between June 11 and September 4, 2014, with no evidence of compromise to the company’s online store. Attackers accessed names, payment card account numbers, and card expiration dates, though investigators found no indication that debit card PINs were compromised. Sheplers first publicly addressed the incident on September 19, 2014, via a website notification, stating their investigation remained ongoing but affirming it was safe to continue using payment cards at their stores. The company did not disclose the total number of potentially affected payment cards or individuals during initial communications.

Sheplers implemented new security measures following the breach and offered free fraud protection services to impacted customers. By September 4, 2014, the company acknowledged fraud reports from "a few dozen" customers but provided no specific figures regarding confirmed compromises or notification volumes. The retailer maintained that detection and containment efforts were active, with no further details released about the intrusion methodology or identity of threat actors. The breach exclusively affected point-of-sale systems in physical retail locations, with no expansion to other operational areas confirmed. Sheplers’ public communications emphasized ongoing collaboration with forensic investigators while refraining from speculating about potential attack origins or broader systemic vulnerabilities.