Guess Data Breach Indicates Theft After Ransomware Attack

American clothing brand and retailer Guess just began notifying customers of a data breach caused by a February ransomware attack. 

According to a letter from Guess, the retailer contracted a cybersecurity firm to assist with their investigation in February into the ransomware attack. They discovered “unauthorized access to Guess’ systems between February 2, 2021, and February 23, 2021.”

“On May 26, 2021, the investigation determined that personal information related to certain individuals may have been accessed or acquired by an unauthorized actor. The investigation determined that Social Security numbers, driver’s license numbers, passport numbers and/or financial account numbers may have been accessed or acquired.”

Guess finally identified the addresses of all affected individuals after reviewing exposed documents on June 3. It began informing customers on June 9 and filed a breach notification a month later. 

While only 1,300 individuals may have been affected by the Guess data breach, the extent of the damage suffered by each affected customer should serve as a warning to enterprises of all sizes. 

Databreaches.net reported in April DarkSide ransomware gang claimed responsibility for the Guess data breach and ransomware attack. We gathered some cybersecurity expert commentary on the breach. Here’s what we learned.  

Guess Data Breach Indicates Theft After Ransomware Attack

Casey Ellis

Casey Ellis is the CTO and Founder of Bugcrowd.  

“The pandemic has accelerated digital transformation for retailers and further shifted consumer buying habits online, which has expanded their attack surface and heightened the number of vulnerabilities and risks of a breach. This breach should serve as a reminder for all retailers to evaluate their security processes. 

Many retailers are relying on new systems that were built on the fly as organizations adapted to the customer requirements of the pandemic. As a result, these systems often haven’t been properly tested in high-volume transaction environments before. Speed is the natural enemy of security, and retailers must beware of increased risks of DDoS attacks, ransomware, fraudulent purchases, phishing campaigns impersonating retailers. 

Retailers can adopt a ‘neighborhood watch’ approach to security, engaging outside ethical hackers and even the general public to proactively disclose vulnerabilities before cyber-criminals can exploit them. This allows retailers to discover security issues before the adversary does, protect their users, and avoid a disrupting breach. As we have seen with this attack, failing to ensure security at the scale needed will grant attackers access to large quantities of customer information and data such as social security numbers, driver’s license numbers, passport numbers, and/or financial account numbers, as well as the ability to inject ransomware into the retailer’s networks.” 

Uriel Maimon

Uriel Maimon is Senior Director of Emerging Technologies at PerimeterX.

“When hackers obtain information from a breach, both the company and its customers can be affected for years to come. Personal information, for example, can be used to create synthetic identities that are then used to generate fraudulent credit card or loan applications which inevitably affects the original users but also the financial institution. Our recent PerimeterX Automated Fraud Benchmark Report found that ATO and credentials stuffing are two of the most damaging types of automated attacks faced by businesses today, which affect the original website whose brand and image will inevitably suffer and whose reporting obligations and liability may be very costly. Web app security is everyone’s problem, and we must all work together to make the web a safer place.”

Erich Kron

Erich Kron is Security Awareness Advocate at KnowBe4. 

“Although the Darkside ransomware group is out of commission, that does not mean this breach is insignificant. The significant amount and very personal types of data being collected by the organization, including passport numbers, Social Security numbers, driver’s license numbers, financial account and/or credit/debit card numbers with security codes, passwords, or PIN numbers, is an extremely valuable dataset for cyber criminals if they want to steal identities. For this reason, unlike it appears in this case, organizations are wise to limit the amount of data kept and stored in systems.

Since ransomware, including that from the Darkside group and their affiliates, often targets compromised user accounts for remote access services and also typically relies heavily on email phishing campaigns, these are areas organizations should focus on securing. Ensuring multi-factor authentication is used to protect accounts, employees are trained to spot and report phishing emails and good password hygiene can go a long way to improving security against these types of breaches. In addition, organizations should have data loss prevention (DLP) controls in place and monitored constantly.”

Thanks to these experts for their time and expertise. For more, check out the Endpoint Security Buyer’s Guide or the Endpoint Detection and Response Buyer’s Guide.