The Buckle Suffers a Credit Card Breach

The Buckle Inc., an apparel retailer that operates more than 450 stores in 44 U.S. states, disclosed Friday that its retail locations were hit by malicious software designed to steal customer credit card data. The disclosure came hours after KrebsOnSecurity contacted the company regarding reports from sources in the financial sector about a possible breach at the retailer. The Buckle released a statement saying that point-of-sale malware was found installed on cash registers at the company's retail stores, and that it believes the malware was stealing customer credit card data between Oct. 28, 2016 and April 14, 2017. The Buckle said purchases made on its online store were not affected.

Total Retail's Take: While Buckle's POS terminals are EMV capable — i.e., they can accommodate newer, more secure chip-based credit and debit cards — not all customers are using those cards. Some banks haven't issued the chip-enabled credit cards, which are much more difficult for thieves to counterfeit, but also more expensive to produce. Customers who shopped at compromised Buckle stores using a chip-based card would not be in danger of having their cards cloned and used elsewhere, but the stolen card data could still be used for e-commerce fraud. There's perhaps nothing more important for retailers than the trust of their customers, making data security a priority for brands. I would expect Buckle, already dealing with declining sales, to struggle to retain customers and acquire new ones with this latest bit of bad news.