Vogue chain Eternally 21 has suffered what it has described as a “information safety incident” that noticed a hacker achieve entry to its methods for months, and uncovered the non-public particulars of 539,207 present and former staff.
In a data breach notification filed with the Maine Lawyer Basic’s Workplace, Eternally 21 revealed that it first realised an “unauthorized third celebration” had accessed a few of its methods on March 20 2023. A subsequent investigation decided that the safety breach occurred at numerous occasions between January 5 and March 21 2023 earlier than, presumably, the hacker’s entry was blocked.
Recordsdata obtained by the intruder throughout that point contained delicate details about previous and current staff, together with:
- Names
- Dates of delivery
- Checking account numbers
- Social safety numbers
- Data associated to workers’s well being plan, together with enrollment and premiums paid information
The corporate says it has “no proof” to counsel the accessed info has been misused for functions of fraud or id theft, “and no cause to imagine that will probably be.”
It is good to listen to that Eternally 21 feels assured that nothing unhealthy has occurred, and that nothing shall be in future – however (as has been identified many occasions earlier than) an absence of proof is just not the identical as having the proof of absence.
It could be that nothing unhealthy has occurred with a number of the private information leaked at Eternally 21, and can by no means sooner or later, however how can anybody – not to mention a vogue retailer – know that with any certainty? Simply because no-one has instructed them the knowledge has been abused, or no-one has linked abuse of over half 1,000,000 individuals’s private info to the Eternally 21 breach earlier this yr doesn’t imply that it hasn’t occurred, and can by no means occur sooner or later.
Eternally 21 additionally states that it doesn’t imagine that the breaches information was copied, retained, or shared by the third celebration who accessed it. With out extra info (does it know who accessed the info?), it is arduous to know the way the corporate has come to that dedication with any certainty.
The retailer says that the chance to former and present staff is “low.”
It additionally believes that the third celebration hasn’t copied, retained, or shared any of the info, and due to this fact, the chance to people is low. Personally, I might err on the facet of warning. To that finish I might suggest present and former staff on the firm benefit from the agency’s supply of complimentary 12 month id safety, and hold their eye open for suspicious exercise.
Sadly, this isn’t the primary time that Eternally 21 has suffered a safety breach.
In 2017, the corporate warned clients to maintain an in depth eye on their bank card statements after it suffered an information breach made worse by a failure to properly encrypt payment data at point-of-sales terminals.
And between 2004 and 2007, the small print of just about 100,000 clients’ fee playing cards had been stolen from Eternally 21. Eternally 21 solely learnt about that breach after it was contacted by the US Secret Service, which was investigating a gang who had launched a spate of attacks in opposition to retailers who weren’t securely encrypting credit score and debit card transaction information.
