Brooks Brothers suffers 11-month data breach

Dive Brief:

Brooks Brothers acknowledged on Friday that a data breach had affected some of its retail locations in the U.S. and Puerto Rico over 11 months from April 2016 to March 2017, according to a company press release.
The company said some customer payment card information was collected by malicious software that had been installed on some of its payment processing systems at the locations in questions — both Brooks Brothers and Brooks Brothers Outlet stores. Compromised information may have included card names, payment card account numbers, card expiration dates and card verification codes, but not sensitive personal information such as Social Security numbers or customer addresses, the company said.
The men's apparel retailer, which has more than 400 stores worldwide, said it had hired independent forensic experts and alerted law enforcement after being informed of the breach. "While we are continuing to review and enhance our security measures moving forward to help prevent a future incident, we can confirm that this issue has been resolved and is no longer impacting transactions," the company said in a statement.

Dive Insight:

Anyone who thought the retail sector was getting ahead of the game after being awakened by data breaches at more retailers and related companies in 2016, notably including Vera Bradley, was sorely mistaken. And the Brooks Brothers breach seems particularly vexing.

The crime, which potentially went on for almost a year under the company's nose and possibly left customers' payment card data compromised, doesn't seem to have warranted much of a detailed explanation or apology from Brooks Brothers. The tone of much of the coverage of this incident seems to be something like "what's done is done," as if this sort of attack is just another example of the new normal.

An 11-month data breach should not be swept under the rug so easily. Brooks Brothers owes its customers more details and more of an explanation for how this attack occured and why it wasn't discovered sooner. Yet, time and again we have see data breaches get acknowledged with only the barest amount of detail.

Do retailers in this kind of situation perhaps think they are as damned — or even more so — if they reveal every last detail of a data breach as they would be if they acknowledged almost nothing at all? Some studies have suggested retailers may have a lot to lose even if they do take proper actions following a data breach. For example, a KPMG study last summer found that 19% of consumers likely wouldn't shop at a retailer again after it suffered a data breach even if it took actions to remediate the problem.

While more information may be forthcoming, for now, telling customers and partners that essentially, "There is nothing to see here," seems like a short-sighted way to do business.