Buckle Inc. was hit with point-of-sale (POS) malware on the payment data systems at an undisclosed number of locations.
The firm launched an investigation into the incident and engaged third party forensic experts to review the systems and secure the affected part of the network.
The malware searched for track data read from the magnetic stripe of a payment card and was designed to steal payment card data including account numbers, account holder names, and expiration dates, according to a June 16 press release.
“All Buckle stores had EMV ('chip card') technology enabled during the time that the incident occurred and we believe the exposure of cardholder data that can be used to create counterfeit cards is limited,” the clothier said in the release. “However, it is possible that certain credit card numbers may have been compromised.”
The malware is believed to have been active between October 28, 2016 and April 14, 2017.
Independent researcher Brian Krebs said the disclosure came hours after he contacted the company after receiving reports from the financial sector about a possible breach with the retailer.
Prior to the announcement there had reportedly been a pattern of fraud on customer credit and debit cards suggesting a point-of-sale breach at Buckle stores across the country, the researcher said. It is unclear how many people were affected by the incident.