According to a company spokesman, the data most likely at risk is as follows:
• Credit Card Number
• Credit Card Expiration Date
• And Customer Name
No other data was harvested (although this is certainly enough to be damaging), and the company has yet to release any information on the total number of stores that were impacted or the total number of customers who were compromised.
There are a couple of interesting things to talk about where this latest breach is concerned, and Buckle makes a good case study of how not to handle the aftermath of a large-scale data breach.
In the first place, the company is only notifying their customers now, some two months after they found out about the breach. After two months of intensive investigation, it seems curious that the company does not yet have precise details on the number of impacted users, or at the very least, the number of stores. In the absence of this information, the only safe thing to do is to assume that all stores were breached, and every shopper who made a purchase during the timeframe is at risk.
Secondly, the company says that the malware was “quickly and easily removed from all impacted POS terminals,” which is a good thing. But if it was such a trivial task to remove it, then it raises questions about the current state of their data security that let it in, and allowed it to run for six months undetected.
Unfortunately, the details above represent the sum total of all information provided by Buckle so far, two months after the attack. So, again, if you’ve made a purchase from the store during that timeframe, you may be at risk.