6/16/17: The Buckle, Inc. Notification of Security Incident
We became aware that The Buckle, Inc. was a victim of a security incident in which a criminal entity accessed some guest credit card information following purchases at some of our retail stores. We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network.
Through that investigation we learned that our store payment data systems were infected with a form of malicious code, which was quickly removed. Based on the forensic investigation, we believe that no social security numbers, email addresses or physical addresses were obtained by those criminally responsible. There is also no evidence that the buckle.com website or buckle.com guests were impacted.
All Buckle stores had EMV (“chip card”) technology enabled during the time that the incident occurred and we believe the exposure of cardholder data that can be used to create counterfeit cards is limited. However, it is possible that certain credit card numbers may have been compromised.
We take the protection of payment card data very seriously. We are cooperating fully with card brands and forensic investigation services. Any affected individuals either have or will likely receive communications from their issuing banks with additional instructions and/or replacement cards. In line with best practice, we recommend that individuals closely monitor their payment card account statements. If there are unauthorized charges, individuals should immediately notify their bank. Additional details on the incident, as well as steps that you can take to protect your personal information, are set forth below.
Buckle identified malware on certain Buckle retail store location point-of-sale (POS) systems. This malware apparently was designed to record payment card data (including account number, account holder’s name, and expiration date) from cards used in the affected POS devices in Buckle retail stores. Buckle believes that certain payment cards used in its stores between October 28, 2016 and April 14, 2017 may have been affected. Buckle currently believes that the malware did not collect data from all transactions or all POS systems for each day within that time period.
What Information Was Involved
The malware searched for track data read from the magnetic stripe of a payment card (which, based on the forensic artifacts Buckle has been able to review, sometimes included cardholder name in addition to card number and expiration date). There is no indication that other guest information was collected and no indication that any information submitted through Buckle.com was affected.
What We Are Doing
Buckle promptly engaged forensic experts who performed a detailed investigation of Buckle’s environment. As part of Buckle’s response, connections between Buckle’s network and potentially malicious external IP addresses were blocked, potentially compromised systems were isolated, and malware-related files residing on Buckle’s systems were eradicated. Additionally, Buckle reported a potential incident to the payment card brands and is cooperating with them regarding this incident.
What You Can Do
It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional information and additional steps you may take.
Steps You Can Take to Further Protect Your Information
We recommend that you remain vigilant by reviewing your account statements and free credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You also should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228
Credit Reporting Agencies
To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling one of the three nationwide consumer reporting agencies. Contact information for the three nationwide credit reporting companies is as follows:
P.O. Box 740256 Atlanta, Georgia 30348
P.O. Box 9554 Allen, Texas 75013
P.O. Box 105281 Atlanta, GA 30348-5281
Security Freezes and Fraud Alerts
You may obtain information from the credit reporting agencies about security freezes. A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent; however, using a security freeze may delay your ability to obtain credit.
To place a security freeze on your credit report, you need to send a request to each national credit reporting agency by certified mail, overnight mail, or regular stamped mail. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. The consumer reporting agency may charge a fee to place a freeze or lift or remove a freeze, unless you are a victim of identity theft or the spouse of a victim of identity theft, and you have submitted a valid police report relating to the identity theft incident to the national credit reporting agency. Visit the websites of each consumer reporting agency for more information about placing a freeze, as they may have different requirements depending on the state in which you reside.
California Residents: Your receipt of this notice has not been delayed as the result of any law enforcement investigation activity.
Maryland Residents: You may contact the Office of the Maryland Attorney General at 1 (888) 743-0023 by visiting the website https://www.oag.state.md.us/ or by writing to the Office of the Maryland Attorney General at 200 St. Paul Place, Baltimore, MD 21202. You can obtain information on the steps you can take to avoid identity theft from the FTC and the Office of the Maryland Attorney General.
Massachusetts Residents: You have the right to obtain a police report and request a security freeze as described above. The consumer reporting agencies may charge you a fee of up to $5 to place a security freeze on your account.
New Mexico Residents: Victims of identity theft may have rights under the Fair Credit Reporting Act (FCRA). Further information can be found here: http://www.experian.com/blogs/ask-experian/credit-education/report-basics/fair-credit-reporting-act-fcra/new-mexico/
North Carolina Residents: You may contact the North Carolina Attorney General’s Office at 919-716-6400, or by visiting the website http://www.ncdoj.gov, or by writing to the Attorney General’s Office, 9001 Mail Service Center, Raleigh, NC 27699-9001.
Oregon Residents: If you suspect that you are the victim of identity theft, you should report suspected identity theft to law enforcement including the Oregon State Attorney General and the Federal Trade Commission.
Rhode Island Residents: You may obtain information about preventing and avoiding identity theft from the Rhode Island Office of the Attorney General at 150 South Main Street Providence, RI 02903, www.riag.ri.gov, (401)-274-4400. You have the right to obtain a police report and request a security freeze as described above. The consumer reporting agencies may charge you a fee of up to $10 to place a security freeze on your account. Buckle is not able to confirm the number of affected individuals at this time.
West Virginia Residents: you have the right to the right to ask that nationwide consumer reporting agencies place "fraud alerts" in your file to let potential creditors and others know that you may be a victim of identity theft, as described above. You also have a right to place a security freeze on your credit report, as described above.
Additional Contact Information
If guests have questions regarding this incident, you can call 1-800-607-9788 Monday through Friday from 8:00 a.m. through 9:00 p.m., Saturday from 9:00 a.m. through 9:00 p.m., and Sunday from 12:00 p.m. through 6:00 p.m. (all times Central Time).
If members of the media have questions regarding this incident, please contact Joe Hixson or Beth Hoang at The Abernathy MacGregor Group, Inc. at (213) 630-6550.