Poppin' Tags, Breachin’ Data


We still can’t get that crazy-catchy Thrift Shop beat of a couple of years ago out of our heads. Rapper Macklemore had everybody thinking about heading to the closest pre-worn clothes emporium to pop some tags--a kind of hipster field trip step-up from the pursuit of dumpster diving chic.

Macklemore famously sang that he had “twenty dollars in my pocket” before he headed off to the used clothes depot.  And using cash for his shopping probably would have saved him from cybercriminals that recently targeted credit card data from the America's Thrift Stores chain that operates at 18 locations in Alabama, Georgia, Mississippi, Louisiana and Tennessee.

Ken Sobaski, the company’s chief executive officer, said that a malware-driven security breach had targeted software used by a third-party service provider and that the cyberattack was traced to criminals from Eastern Europe.

The CEO said the “U.S. Secret Service tells us that only card numbers and expiration dates were stolen. They do not believe any customer names, phone numbers, addresses or email addresses were compromised. This breach may have affected sales transactions between September 1, 2015 and September 27, 2015.”

The company posted a FAQ on the breach which said the malware had been removed and no longer posed a threat. It also said it had hired independent forensic investigation company Sikich—which it noted is certified by the Payment Card Industry Security Standards Council—to help it assess the situation.

And the lessons learned? Even a humble thrift store may be the target of cybercriminals and always use cash at the thrift store as it will both protect your credit cards and prevent you buying too many Rayon Hawaiian shirts. But you just might want to break out the card for that dogs playing poker painting.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.