News

Guess suffers ransomware attack and data breach

The fashion retailer said Social Security numbers may have leaked

13 Jul 2021

Fashion brand Guess notified customers of a data breach that occurred in February following a ransomware attack.

According to an email sent to its Maine customers, the company recently investigated the attack.

“Upon discovery of the incident on February 19, 2021, Guess activated its incident response plan, and a cyber security forensics firm was engaged to assist with the investigation and containment. The investigation determined that there was unauthorized access to certain Guess systems between February 2, 2021 and February 23, 2021,” the email stated.

“On May 26, 2021, the investigation determined that personal information related to certain individuals may have been accessed or acquired by an unauthorized actor.”

Guess said hackers might have accessed or acquired Social Security numbers, driver's license numbers, passport numbers, and/or financial account numbers. It has also notified law enforcement and is cooperating with their investigation. The retailer also said it would implement additional measures to enhance security protocols.

Erich Kron, a security awareness advocate at KnowBe4, told ITPro the significant amount of personal data collected is an extremely valuable dataset for cyber criminals seeking to steal identities.

“Since ransomware, including that from the Darkside group and their affiliates, often targets compromised user accounts for remote access services and also typically relies heavily on email phishing campaigns, these are areas organizations should focus on securing,” Kron said.

“Ensuring multi-factor authentication is used to protect accounts, employees are trained to spot and report phishing emails and good password hygiene can go a long way to improving security against these types of breaches. In addition, organizations should have data loss prevention (DLP) controls in place and monitored constantly."

Trevor Morgan, product manager at comforte AG, told ITPro that companies have a responsibility to carry out the due diligence of protecting the data they have already collected and processed.

“Keeping it secure behind a perimeter is a good start, but applying data-centric security like tokenization, which replaces sensitive data elements with innocuous tokens, helps to mitigate situations like these when data breaches actually occur,” Morgan said.

“Even if hackers get their hands on tokenized sensitive data, they can’t do anything with it and thus it becomes worthless (and protects data subjects from potentially catastrophic consequences). The investment for organizations into data-centric security is a much better scenario than the fallout from a data breach."