Security News > 2021 > July > You'll never Guess whose data has been nicked as US fashion firm confirms systems breach

Fashion brands Guess and Spread Group have confirmed data breaches in which crooks walked off with US Social Security Numbers, contracts, passwords, payment details, and more.

Guess warned that SSNs, driving licence numbers, passport numbers, and financial account numbers of "Certain individuals" had been obtained by the attackers; Spread Group saw a somewhat wider breach leaking hashed passwords, payment details, and contract information for both customers and suppliers.

"The unidentified perpetrators managed to break through the company's high security standards and access internal data, including the addresses and contractual data of customers, partners, employees, and external suppliers."

The company confirmed that "Password hashes saved before 2014" were leaked as part of the breach, indicating that it was at least storing passwords in an irreversible but potentially vulnerable to brute-force format - but did not answer our question as to whether it was storing the remainder of its customers' and suppliers' data in an encrypted form.

The attacks follow a breach linked to the REvil ransomware-as-a-service group against fashion giant French Connection, in which internal company data - but not, the company claimed, customer information - including scans of passports belonging to senior staff members, were exfiltrated and offered for sale.

"Guess recently concluded an investigation into a security incident that involved unauthorized access to certain systems on Guess's network," a spokesperson told The Register.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/07/13/guess_spread_group_data_breaches/