Billion-dollar fashion brand Guess has sent letters out to an unknown number of people whose information they lost during a ransomware attack in February.
First shared by Bleeping Computer's Sergiu Gatlan, the letters state that "unauthorized access" to certain Guess systems between Feb. 2, 2021 and Feb. 23, 2021 led to a breach of Social Security numbers, driver's license numbers, passport numbers, and financial account numbers.
The letters -- signed by Guess HR senior director Susan Tenney -- only went out to four residents in Maine, per the state's guidelines, but the company implied that more people were affected.
In a statement to ZDNet, a Guess spokesperson would not answer questions about how many victims there were, only saying that "no customer payment card information was involved."
The Guess spokesperson would not confirm whether the breach was part of a ransomware attack, but the company appeared on the victim data leak site for ransomware group DarkSide in April, and the group openly boasted about stealing 200 GB of data from the fashion brand during an attack in February.
"Guess?, Inc. recently concluded an investigation into a security incident that involved unauthorized access to certain systems on Guess?, Inc.'s network. We engaged independent cybersecurity firms to assist in the investigation, notified law enforcement, notified the subset of employees and contractors whose information was involved, and took steps to enhance the security of our systems," the spokesperson told ZDNet.
"The investigation determined that no customer payment card information was involved. This incident did not have a material impact on our operations or financial results."
In April, a member of DarkSide spoke with a reporter from Databreaches.net, telling the site that they had studied Guess' financial records and knew the company brought in nearly $2.7 billion in revenue last year.
"We recommend using your insurance, which just covers this case. It will bring you four times more than you spend on acquiring such a valuable experience," the DarkSide representative said in messages translated from Russian.
"We act in stages and notify the press usually already when exactly sure that the company will not pay. As for [Guess and another company they named] -- I think the press will see them."
DarkSide shut down its operations in May after their attack on Colonial Pipeline brought international condemnation and increased scrutiny from law enforcement.
In its letter to victims, Guess said it only recently finished its investigation into the cybersecurity incident, which they said was "designed to encrypt files and disrupt business operations."
Their security team discovered the incident on February 19 but realized that cybercriminals were in their system until February 23. It took until May 26 for the company to confirm that the personal information of "certain individuals" was accessed or acquired by an unauthorized actor.
The company waited until July 9 to begin sending out notification letters to those who were affected. As most companies do, Guess is offering the victims one year of credit monitoring and identity theft protection services from Experian.
Guess also said it set up a call center for people with questions about the incident or those interested in enrolling in credit monitoring services.
Erich Kron, security awareness advocate at KnowBe4, noted that this was an example of the long tail that ransomware attacks have.
"Although the Darkside ransomware group is out of commission, that does not mean this breach is insignificant. The significant amount and very personal types of data being collected by the organization, including passport numbers, Social Security numbers, driver's license numbers, financial account and/or credit/debit card numbers with security codes, passwords, or PIN numbers, is an extremely valuable dataset for cybercriminals if they want to steal identities," Kron said.
"For this reason, unlike it appears in this case, organizations are wise to limit the amount of data kept and stored in systems."