GUESS, Inc., the owner of the GUESS brand, has confirmed it recently provided notice to an unknown number of people whose information was compromised as a result of unauthorized access to the company's systems back in February 2021. A GUESS spokesperson would not confirm how many people were affected but did say that payment card information was not involved. According to reports from recipients of the breach notification letters, the information accessed included social security numbers, driver's license numbers, passport numbers, and financial account numbers.
According to the reported timeline, GUESS discovered the data breach in late February, confirmed that personal information was impermissibly accessed or acquired at the end of May, and sent letters to affected individuals on July 9—underscoring the length of time a company reasonably needs to fully vet an actual or even alleged data security issue.
While GUESS has not attributed this data breach to a ransomware attack, it should be noted that GUESS has been targeted by the ransomware group DarkSide, which claimed to have stolen 200 GB of data from the company back in February. Darkside is the same group responsible for the much more publicized Colonial Pipeline attack and has apparently ceased its ransomware operations following the pipeline incident. The demise of the Darkside group, however, is no consolation for affected individuals whose stolen information will no doubt circulate within the dark web for use by other cybercriminals for other nefarious purposes.
Nixon Peabody’s Cybersecurity and Privacy Team will continue to monitor developments.