J. Crew Reveals Data Breach
J. Crew experienced a data breach last April, the company revealed in a letter posted by the California attorney general.
First reported by TechCrunch, the letter states that routine web scanning discovered that email addresses and passwords were obtained by the unauthorized third party and then used to log into the JCrew.com account in April 2019.
Information accessible in the account included the last four digits of a credit card, as well as the expiration dates, card types and billing addresses of the cards. The unauthorized third parties could have also accessed order numbers, shipping status and confirmation numbers.
J. Crew said it’s disabled the accounts of those affected.
Jason Kent of security provider Cequence Security noted in an email to RIS that this type of breach is quite common for businsses.
“The challenge is that this type of vulnerability is often considered low risk because it is up to the user to have a good password, change it regularly, include special characters, etc.,” he said. “In this case, it’s easy to see that even though the user has some responsibility, the system shouldn’t be built in such a way that an attacker can test credentials and later construct and automated attack that isn’t noticed.”
“Attacks against the API of a mobile application often is difficult to see happening because the design of an API normally includes ability to be extremely fast and thousands of transactions per second are possible,” Kent added. “Knowing where these types of attacks can occur, instrumenting those endpoints to block automated attacks is the best prevention."
The news of the breach came on the heels of the company’s full-year financial results, in which it reported sales for the J. Crew brand down 4% for the year, to $1.7 billion. Total revenue, however, increased 2% to $2.5 billion, in part driven by a 14% sales increase for its Madewell brand.
The company, which brought on former Victoria’s Secret CEO Jan Singer as its new chief in January, also reported that it was delaying its proposed Maewell IPO to April 30, from March 18.