Breach Notification , Fraud Management & Cybercrime , Incident & Breach Response

Guess Confirms Ransomware Attack and Data Breach

DarkSide Ransomware Operation Had Claimed Clothing Retailer Was Victim of Its Attack
Guess Confirms Ransomware Attack and Data Breach
Guess store in Miami (Photo: Phillip Pessar via Flickr/CC)

Clothing retailer Guess suffered a ransomware attack and data breach earlier this year that exposed personal information for an unspecified number of individuals.

See Also: Gartner Guide for Digital Forensics and Incident Response

As Bleeping Computer first reported, citing a data breach notification letter issued by Guess to 1,304 affected Maine residents, Guess says criminal hackers accessed its systems from approximately Feb. 2 to Feb. 23 and that the intrusion was "designed to encrypt files and disrupt business operations."

Los Angeles-based Guess has 1,580 stores globally, including 280 in the U.S. and 80 in Canada.

"Upon discovery of the incident on Feb. 19, Guess activated its incident response plan and a cybersecurity forensics firm was engaged to assist with the investigation and containment," Guess's breach notification says. "On May 26, the investigation determined that personal information related to certain individuals may have been accessed or acquired by an unauthorized actor."

Potentially exposed information includes Social Security numbers, driver's license numbers, passport numbers and financial information.

By June 3, Guess said it had identified all likely victims and their mailing addresses; it began mailing them on Friday. Guess says it's offering one year of prepaid identity theft monitoring to all victims.

"Guess has also established a dedicated call center for individuals to call with questions about the incident or enrolling in credit monitoring services," it says. "To reduce the risk of a similar incident occurring in the future, Guess implemented additional measures to further enhance the security of its network and existing security protocols."

The clothing retailer didn’t immediately respond to a request for more information about the incident, including how many individuals' personal details were affected, how many systems got locked by attackers or if Guess paid any ransom.

But in a statement sent to Bleeping Computer, Guess stated that as part of its investigation, it notified law enforcement agencies of the intrusion and also "notified the subset of employees and contractors whose information was involved." In addition, Guess said that "the investigation determined that no customer payment card information was involved" and also that "this incident did not have a material impact on our operations or financial results."

DarkSide Claimed Guess as Victim

The data breach tracking blog DataBreaches.net on April 12 noted that the DarkSide ransomware-as-a-service operation had listed Guess as a victim on its data leak site.

"DarkSide claims to have exfiltrated more than 200GB of data, and posted a number of samples as proof," DataBreaches.net reported. In the listing, as is typical, DarkSide included no specific ransom demand, but did reportedly advise Guess: "'We recommend using your insurance, which just covers this case. It will bring you four times more than you spend on acquiring such a valuable experience."

DarkSide functioned as a ransomware-as-a-service operation, meaning its administrators developed ransomware and surrounding services - such as a dedicated data leak site - while affiliates downloaded the crypto-locking malware and used it to infect victims. Whenever a victim paid a ransom, the affiliate and operator shared the profits.

On May 7, however, DarkSide appeared to overstep, hitting Colonial Pipeline Co., which supplies fuel for 45% of the U.S. East Coast, leading to many individuals hoarding fuel as the White House worked to calm accompanying fears.

In the wake of that attack, DarkSide reported via its data leak site that "we lost access to the public part of our infrastructure, in particular to the blog, payment server, CDN servers," and said also that "the hosting panels have been blocked," threat intelligence firm Intel 471 reported at the time.

As a result, DarkSide on May 13 claimed that it would stop all affiliate operations, reimburse all affiliates for attacks and issue decryption tools for them to share with victims.

Whether any of that actually happened remains unclear (see: Ransomware Gangs 'Playing Games' With Victims and Public).

"The affiliate program is closed. Stay safe and good luck," DarkSide announced in this May 13 note. (Source: Intel 471)

What happened to stolen Guess data - for example, if a DarkSide affiliate responsible for the attack sold it to others - also remains unclear, as does whether Guess received a decryption tool from DarkSide.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.