Clothing company J.Crew said an unknown hacker accessed some of its customers’ online accounts almost a year ago, according to reports.
Although the attack occurred in 2019, the company only now revealed that an unknown number of customers had been affected by the attack.
In a filing with the California attorney general on Tuesday (March 3), the company said the breach occurred in April of last year, and the attack focused on user information from online accounts, including card types, the last four digits of card payment numbers, expiration dates and associated billing addresses.
Online accounts also store order numbers, shipping confirmation numbers and shipment statuses.
A spokesperson for J.Crew said the hackers used a technique called credential stuffing, meaning existing sets of exposed or breached usernames and passwords were matched against different websites to access accounts.
The spokesperson said only a small amount of user accounts were affected but declined to say how many.
Companies doing business in California are obligated to warn the state attorney general’s office of security breach incidents involving more than 500 Californians. The letter to the state called this incident a multi-state case, meaning individuals in other states besides California were affected.
A bigger question not yet clarified has to do with why the company waited a year to inform anyone of the attack.
The spokesperson said “routine web scanning” had detected the breach, and that customers had then been “promptly notified.” The company didn’t say when the scanning took place or why the breaches hadn’t been detected sooner. Under the laws of California and New York, where J.Crew is headquartered, there’s no specific time limit where the companies have to disclose such a breach, except that customers are notified in the most expedient time possible and without delay.
J.Crew isn’t the only company of late to disclose a hack — others such as Ring, Chipotle, Spotify and MGM Resorts have also been victims of hacking.