Vogue chain Eternally 21 has suffered what it has described as a “information safety incident” that noticed a hacker acquire entry to its techniques for months, and uncovered the non-public particulars of 539,207 present and former workers.
In a information breach notification filed with the Maine Lawyer Common’s Workplace, Eternally 21 revealed that it first realised an “unauthorized third get together” had accessed a few of its techniques on March 20 2023. A subsequent investigation decided that the safety breach occurred at varied instances between January 5 and March 21 2023 earlier than, presumably, the hacker’s entry was blocked.
Information obtained by the intruder throughout that point contained delicate details about previous and current workers, together with:
- Names
- Dates of beginning
- Checking account numbers
- Social safety numbers
- Data associated to workers’s well being plan, together with enrollment and premiums paid information
The corporate says it has “no proof” to counsel the accessed data has been misused for functions of fraud or id theft, “and no motive to consider that it is going to be.”
It is good to listen to that Eternally 21 feels assured that nothing unhealthy has occurred, and that nothing will likely be in future – however (as has been identified many instances earlier than) an absence of proof shouldn’t be the identical as having the proof of absence.
It might be that nothing unhealthy has occurred with a few of the private information leaked at Eternally 21, and can by no means sooner or later, however how can anybody – not to mention a trend retailer – know that with any certainty? Simply because no-one has informed them the data has been abused, or no-one has linked abuse of over half 1,000,000 folks’s private data to the Eternally 21 breach earlier this 12 months doesn’t imply that it hasn’t occurred, and can by no means occur sooner or later.
Eternally 21 additionally states that it doesn’t consider that the breaches information was copied, retained, or shared by the third get together who accessed it. With out extra data (does it know who accessed the information?), it is laborious to understand how the corporate has come to that willpower with any certainty.
The retailer says that the danger to former and present workers is “low.”
It additionally believes that the third get together hasn’t copied, retained, or shared any of the information, and subsequently, the danger to people is low. Personally, I’d err on the aspect of warning. To that finish I’d advocate present and former staff on the firm reap the benefits of the agency’s supply of complimentary 12 month id safety, and hold their eye open for suspicious exercise.
Sadly, this isn’t the primary time that Eternally 21 has suffered a safety breach.
In 2017, the corporate warned prospects to maintain an in depth eye on their bank card statements after it suffered an information breach made worse by a failure to correctly encrypt fee information at point-of-sales terminals.
And between 2004 and 2007, the small print of just about 100,000 prospects’ fee playing cards had been stolen from Eternally 21. Eternally 21 solely learnt about that breach after it was contacted by the US Secret Service, which was investigating a gang who had launched a spate of assaults towards retailers who weren’t securely encrypting credit score and debit card transaction information.
