US retailer Eddie Bauer had said that hackers may have accessed customers' payment card information after infecting its point-of-sale systems with malware.
Following an investigation involving the FBI and a private cyber forensics firm, the retailer has said that customers who purchased an item using a card between January 2 and July 17 this year could have had their details compromised. Hackers infected Eddie Bauer's systems as part of a "sophisticated attack" directed at a number of retailers, restaurants and hotels, the company said.
Eddie Bauer said that any traces of malware have now been removed from its systems. It added that it is taking steps to prevent such an incident occurring again, and ensure customers won't be held accountable for any fraudulent activity carried out by anyone using stolen data.
"We have been working closely with the FBI, cybersecurity experts, and payment card organizations, and want to assure our customers that we have fully identified and contained the incident and that no customers will be responsible for any fraudulent charges to their accounts," said Eddie Bauer CEO Mike Egeck.
In an open letter to customers, Egeck said the company is "conducting a comprehensive review of our IT systems to incorporate recommended security measures in order to strengthen them and prevent this from happening again".
However, the company has not provided any information on how malware infected its point-of-sale systems or who might have been behind the attack.
While not all transactions made in Eddie Bauer stores across the US and Canada were affected by the malware, the company is offering identity protection services to who all customers who purchased or returned items in the six month period of the infection. Customers using the online store aren't affected by the breach.
The company says it's in the process of identifying customers whose payment information may have been stolen and will notify those who've been affected. It is also working with payment card networks so that they can coordinate with card-issuing banks to monitor for fraudulent activity.