Hackers stole credit card data from Buckle stores' cash registers
Malware sat on its point-of-sale systems for months.
If you shopped at Buckle in the past several months, you might want to check your financial statements -- the clothing store has confirmed a Krebs on Security report of a data breach. Intruders planted malware on the chain's cash register systems to steal credit card data between October 28th, 2016 and April 14th, 2017. The potential data loss is limited if you used a relatively secure chip-based card, but it's much worse if you relied on the magnetic stripe. The malware looked at stripe tracking data to collect names, card numbers and expiration dates.
Buckle says it "promptly" took steps to investigate and scrub the malware (which didn't touch its online store), but it's not clear how many customers could have been affected or who's behind the breach. If the attackers wanted, though, they could have used the info to duplicate cards and go on shopping sprees.
The incident is a reminder of the ongoing problems with magnetic card security at American stores, some of which aren't the fault of the retailers. It's clearly a problem that Buckle didn't catch the malware for months, and that we're only hearing about the breach two months after Buckle resolved it. However, there's only so much that shops can do to mitigate the damage from these thefts. Some American banks still haven't issued chip-based cards, and you aren't obliged to replace an existing stripe-only card until it expires. It may take years before chips dominate American shopping the way they do in other countries, and that makes it all too tempting to hijack their point-of-sale systems in the meantime.