Fashion retailer Guess recently announced a data breach that compromised 1,300 people and their information, including account numbers, debit and credit card numbers, social security numbers, access codes and personal identification numbers.
Guess said the data leak was investigated upon discovery of the cybersecurity incident designed to encrypt files and "disrupt businesses operations." The investigation determined that there was unauthorized access to certain Guess systems between February 2, 2021 and February 23, 2021. Guess just started mailing notification letters to the individuals whose information may have been involved.
As a result of the breach, Guess is offering a complimentary one-year membership in credit monitoring and identity theft protection services through Experian to individuals involved in the incident. The company said it was implementing additional measures to further enhance the security of its network and existing security protocols.
BleepingComputer reports the DarkSide ransomware gang is most likely behind the attack, as DataBreache.net reported in April that Guess was listed on the threat actor's data leaks site. The gang appears to have shut down, shortly after taking down Colonial Pipeline in May, after heightened scrutiny from law enforcement and having some of their infrastructure seized.
According to Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), now part of Netwrix, a provider of change management software, "There is a fairly large amount of unanswered questions in this breach notification and the event itself. Why sensitive personal information like SSNs or account details was stored in clear text is one of them. That some data sets were apparently incomplete indicates a lack in managing clean and lean data of its customers. Being stock listed, it will be interesting to read through filings for additional details and whether SEC will ask for more details. Measures to avoid such an incident, companies should make sure to have the essential controls in place."
Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based AI cybersecurity company, says, “Disclosure of the GUESS breach reminds us that not all ransomware attacks are big and ambitious. They come in all shapes and sizes and are as much a fact of life on the digital landscape as fender-benders on the freeway. We’re on the way to a more secure digital future, but in the meantime every business must realize what GUESS learned the hard way: all are potential targets. When all adopt a security-first IT philosophy emphasizing better attack detection, better quality of life will follow.”