The company said Friday morning that all the card data had been stolen between November 8 and November 26 from one of Bebe’s stores. Purchases made through the company’s website, its mobile site or mobile app, or in one of its Canadian or international stores were not compromised.
According to Brian Krebs at website Krebs on Security, the stolen card data is being used to make new fraudulent cards:
The bank acquired cards from a batch that [a relatively new cybercrime shop called goodshopbiz] released on Dec. 1, called “Happy Winter Update.” … The card fraud shop “goodshopbiz is selling thousands of the cards … [in a price range] of $10 to $27 per card.
Goodshopbiz is not selling the fraudulent cards, but data that has been stolen from the cards can then be encoded on the magnetic strip on the back of new plastic to make a counterfeit card. Thieves then use the fraudulent cards to buy expensive items like electronics and gift cards that can be turned quickly into cash.
According to Krebs, the most common way for thieves to steal card data is by hacking into cash registers and planting malware that reads a credit card’s magnet strip and sends the data to the thief. This is what happened in the data breaches that hit Target Corp. (NYSE: TGT) last holiday season and Home Depot Inc. (NYSE: HD) earlier this year.
Bebe’s stock closed at $2.73 on Thursday, down about 0.4% in a 52-week range of $2.00 to $7.03. Shares were inactive in Friday’s premarket trading.