Retail Giant J. Crew Hacked and Kept it Quiet for a Year
Category
News, Awareness
Risk Level
Retail giant J. Crew announced on Tuesday [5/5/2020] via a filing with the California attorney general that they had been hacked. What’s concerning is that the data breach occurred over a year ago, in or around April 2019, putting your information at risk.
“What is a data breach?”
A data breach is when information is exposed to someone who should not be able to see it. While most data breaches that you hear about in the news are related to passwords or credit card information being stolen by a hacker, a data breach can also include your personal information, health information, or proprietary information from the organization you work for. These are all things that shouldn't fall into the wrong hands.
“Ok, but what does it mean for me?”
Data breaches can be tricky because you have to understand what has been taken, and how you can protect yourself from that information being used inappropriately. For example, if the news reported that passwords had been stolen from a website, you would change your password for that website. Or, if your credit card number gets stolen, you usually report it to your credit card company and receive a new one.
“But J. Crew kept this quiet for a year, right?”
According to the filing, the hacker was able to access customers’ online accounts in or around April 2019, and accessed the following information:
Your email address
Your J. Crew account password
The last four digits of your credit card number
Expiration date for your credit card
Your billing address(es)
Other order information like order numbers, shipping confirmation numbers, and shipment statuses
This is bad because all of this information has been stolen for over a year. If you recall from another ACT post, hackers could have used “credential stuffing” - or re-using your hacked password - to break into other accounts with the same password for over a year. This is a prime example of why you need a password manager, and why you need to have a long, complex, unique password for every website, device, and account you own.
“So what do I do?”
The key after a data breach is to focus on the sensitive information that was stolen, and what actions that you can take to mitigate the effects. We’ve outlined the most important ones, and what you should do right now, below:
Your email has likely become an extension of your name at this point, so how do you protect it? Unlike your name you have a few options. Changing it doesn’t make sense since you’ll have to update your family, friends, and websites with your new address. Instead, make sure you stay alert for phishing emails (emails that try to trick you into doing something bad) since your email has probably been added to a spam list and you’ll be receiving more junk email soon. You should also make sure that the password you use for your email is not the same password that was stolen during the data breach.
PASSWORD
While there are a number of ways companies protect your passwords when they are stored online, some companies do it better than others. It’s best to play it safe though and change your password for your J. Crew account right now. Even more important, if you used this password somewhere else, like your bank, change that password too. Don’t forget: this is easy with a password manager!
ADDRESS
Unfortunately your address isn’t virtual and you can’t just “reset it.” So what can you do? Most likely no one is going to come visit you, but they may try to use your address to apply for a new credit card. The best way to stop this is by freezing your credit. Check out our easy to follow guide for more information.
CREDIT CARD NUMBER
In this case, it looks like the entire credit card number and information wasn’t stolen, which is good news. However, J.Crew may still be investigating the data breach and new details may emerge. It’s worth keeping an eye on your credit card statements and purchases for any strange activity, and if you see some, call your credit card company immediately and report it.
Finally, if you’re worried about staying on top of the latest data breaches, make sure to subscribe to the ACT Digest, where we’ll tell you about what’s going on in the cybersecurity world, and how you can protect yourself, your friends, your family, and your organization.