SECURITY
SECURITY
SECURITY
Customer credit card data stolen in April 2019 hack of J.Crew
J.Crew Group Inc. is the latest victim of a data breach, as customer data was stolen around April 2019.
The disclosure of the hack came via the company filing a notice late last month with the California Attorney General’s Office. The hack is said to have been “recently” discovered “through routine and proactive web scanning.”
Data potentially stolen included some credit card information for cards stored in customer accounts, including the cards’ last four digits, expiration dates, card types and the billing addresses connected to the cards.
A spokesperson for the company told TechCrunch that the hack involved credential stuffing, a method whereby already breached usernames and passwords from other sites are used to access accounts on other sites. J.Crew did not disclose the number of customers affected, only saying that a “small number” of customers were affected in the data breach.
“For users, there is nothing good about the credential stuffing attack at J. Crew but there are some useful lessons to be learned,” Jonathan Knudsen, senior security strategist at electronic design automation and software security firm Synopsys Inc., told SiliconANGLE.
“First, credential stuffing is an attack where previously leaked lists of user names and passwords are used to gain unauthorized access to systems,” Knudsen explained. “Knowing this, the best course of action is to practice good password hygiene. Don’t re-use the same password across multiple sites, and make sure you are using strong password that cannot be easily guessed. If your J.Crew password is also in use elsewhere, be certain you update your passwords to avoid future issues with this or other accounts.
The second lesson, he added, is that J.Crew did not make a public announcement about the attack until nearly a year later. “What other attacks, involving your personal information, might have already occurred without your knowledge?” he said. “For especially valuable accounts, consider upping the bar with two-factor authentication.”
Paul Bischoff, privacy advocate at research firm Comparitech Ltd., noted that if businesses don’t start forcing users to set up two-factor authentication for logins, then they’ll have little defense against credential stuffing attacks such as this.
Photo: Raysonho/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
