Buckle, Inc. says credit card information was accessed by criminal entity

KEARNEY, Nebraska — The Buckle, Inc. has made the following notification:

We became aware that The Buckle, Inc. was a victim of a security incident in which a criminal entity accessed some guest credit card information follow purchases at some of our retail stores. We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network.

Through that investigation we learned that our store payment data systems were infected with a form of malicious code, which was quickly removed. Based on the forensic investigation, we believe that no social security numbers, email addresses or physical addresses were obtained by those criminally responsible. There is also no evidence that the buckle.com website or buckle.com guests were impacted.

All Buckle stores had EMV (“chip card”) technology enabled during the time that the incident occurred and we believe the exposure of cardholder data that can be used to create counterfeit cards is limited. However, it is possible that certain credit card numbers may have been compromised.

We take the protection of payment card data very seriously. We are cooperating fully with card brands and forensic investigation services. Any affected individuals either have or will likely receive communications from their issuing banks with additional instructions and/or replacement cards. In line with best practice, we recommend that individuals closely monitor their payment card account statements. If there are unauthorized charges, individuals should immediately notify their bank. Additional details on the incident, as well as steps that you can take to protect your personal information, are set forth below.

What Happened

Buckle identified malware on certain Buckle retail store location point-of-sale (POS) systems. This malware apparently was designed to record payment card data (including account number, account holder’s name, and expiration date) from cards used in the affected POS devices in Buckle retail stores. Buckle believes that certain payment cards used in its stores between October 28, 2016 and April 14, 2017 may have been affected. Buckle currently believes that the malware did not collect data from all transactions or all POS systems for each day within that time period.

What Information Was Involved

The malware searched for track data read from the magnetic stripe of a payment card (which, based on the forensic artifacts Buckle has been able to review, sometimes included cardholder name in addition to card number and expiration date). There is no indication that other guest information was collected and no indication that any information submitted through Buckle.com was affected.

What We Are Doing

Buckle promptly engaged forensic experts who performed a detailed investigation of Buckle’s environment. As part of Buckle’s response, connections between Buckle’s network and potentially malicious external IP addresses were blocked, potentially compromised systems were isolated, and malware-related files residing on Buckle’s systems were eradicated. Additionally, Buckle reported a potential incident to the payment card brands and is cooperating with them regarding this incident.

What You Can Do

It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional information and additional steps you may take.