Retail Giant J. Crew Hacked and Kept it Quiet for a Year

NewsAwarenessRisk Level: 2
Written By Alex Nette

Category

News, Awareness

Risk Level

Threat Levels-03.png
 

Retail giant J. Crew announced on Tuesday [5/5/2020] via a filing with the California attorney general that they had been hacked.  What’s concerning is that the data breach occurred over a year ago, in or around April 2019, putting your information at risk.

“What is a data breach?”

A data breach is when information is exposed to someone who should not be able to see it. While most data breaches that you hear about in the news are related to passwords or credit card information being stolen by a hacker, a data breach can also include your personal information, health information, or proprietary information from the organization you work for. These are all things that shouldn't fall into the wrong hands.

“Ok, but what does it mean for me?”

Data breaches can be tricky because you have to understand what has been taken, and how you can protect yourself from that information being used inappropriately. For example, if the news reported that passwords had been stolen from a website, you would change your password for that website. Or, if your credit card number gets stolen, you usually report it to your credit card company and receive a new one.

“But J. Crew kept this quiet for a year, right?”

According to the filing, the hacker was able to access customers’ online accounts in or around April 2019, and accessed the following information:

  • Your email address

  • Your J. Crew account password

  • The last four digits of your credit card number

  • Expiration date for your credit card

  • Your billing address(es)

  • Other order information like order numbers, shipping confirmation numbers, and shipment statuses

This is bad because all of this information has been stolen for over a year.  If you recall from another ACT post, hackers could have used “credential stuffing” - or re-using your hacked password - to break into other accounts with the same password for over a year.  This is a prime example of why you need a password manager, and why you need to have a long, complex, unique password for every website, device, and account you own.

“So what do I do?”

The key after a data breach is to focus on the sensitive information that was stolen, and what actions that you can take to mitigate the effects.  We’ve outlined the most important ones, and what you should do right now, below:

EMAIL

Your email has likely become an extension of your name at this point, so how do you protect it? Unlike your name you have a few options. Changing it doesn’t make sense since you’ll have to update your family, friends, and websites with your new address. Instead, make sure you stay alert for phishing emails (emails that try to trick you into doing something bad) since your email has probably been added to a spam list and you’ll be receiving more junk email soon.  You should also make sure that the password you use for your email is not the same password that was stolen during the data breach.

PASSWORD

While there are a number of ways companies protect your passwords when they are stored online, some companies do it better than others. It’s best to play it safe though and change your password for your J. Crew account right now. Even more important, if you used this password somewhere else, like your bank, change that password too.  Don’t forget: this is easy with a password manager!

ADDRESS

Unfortunately your address isn’t virtual and you can’t just “reset it.”  So what can you do? Most likely no one is going to come visit you, but they may try to use your address to apply for a new credit card. The best way to stop this is by freezing your credit. Check out our easy to follow guide for more information.

CREDIT CARD NUMBER

In this case, it looks like the entire credit card number and information wasn’t stolen, which is good news.  However, J.Crew may still be investigating the data breach and new details may emerge. It’s worth keeping an eye on your credit card statements and purchases for any strange activity, and if you see some, call your credit card company immediately and report it.

Finally, if you’re worried about staying on top of the latest data breaches, make sure to subscribe to the ACT Digest, where we’ll tell you about what’s going on in the cybersecurity world, and how you can protect yourself, your friends, your family, and your organization.

 

Follow us - stay ahead.

Read more of the ACT

Featured
Are Your Passwords in the Green?
Are Your Passwords in the Green?

It's the 2024 update to our Hive Systems Password Table - including using a new “most-hacked” password hash. See why our Password Table has been shown and written about on the news, published by universities, and shared by companies across the globe. Learn more and download your copy!

Let’s Talk About Cookies!
Let’s Talk About Cookies!

Cookies help enhance our browsing experience, but what are the risks? Learn more about how cookies work, what data they collect, and how you can protect your data from misuse.

Navigating the Dual Impact of AI in Cybersecurity
Navigating the Dual Impact of AI in Cybersecurity

Artificial Intelligence (AI) is set to be the newest ally for many companies, but it’s also set to be the newest threat.

Alex Nette https://www.hivesystems.com/alex-nette
Previous

Should I buy a RFID Wallet or Purse to Protect my new Credit Card?
Next

Hacking Your Brain with Coronavirus