Veridian Credit Union says Eddie Bauer should compensate financial institutions for their costs after a hack of the retailer’s point-of-sale system stole consumer payment-card information.

Share story

A credit union has sued Eddie Bauer, alleging that the Bellevue clothing retailer failed to take adequate steps to protect against a hack that swiped the credit-card information of customers last year.

Veridian Credit Union accused Eddie Bauer of deploying lax security standards, forcing Veridian and other financial institutions to bear costs related to theft of payment-card information from the clothier’s point-of-sale systems.

The Waterloo, Iowa, credit union filed the suit, which is seeking class-action status, in federal court in Seattle on Tuesday.

An Eddie Bauer spokesman said the company would defend itself against the claims in the lawsuit, and declined further comment.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks.

Eddie Bauer in August disclosed that the company had discovered malware on its point-of-sale systems at its stores in the U.S. and Canada. The company said credit- and debit-card payments made between Jan. 2, 2016, and July 17, 2016, may have been accessed. Online sales weren’t affected.

It appears that hundreds of thousands, or perhaps millions, of customers had their payment card information compromised, the lawsuit said.

Eddie Bauer, the complaint says, was negligent, and should compensate financial institutions for costs related to reissuing stolen credit and debit cards, refunding unauthorized transactions and other fallout from the breach.

The deficiencies in Eddie Bauer’s security system include “a lack of elementary security measures that even the most inexperienced [information technology] professional could identify as problematic,” the complaint said.

The company failed to implement chip-based card anti-fraud technology, and exacerbated the problem by failing to notify customers for weeks after learning about the problem, the lawsuit says.

A security researcher, Brian Krebs, said he had informed the company of the breach on July 5, after sources at financial institutions told him of a pattern of fraud that might be linked to Eddie Bauer. The company notified consumers of the breach on Aug.18.

The retailer, taken private by private-equity firm Golden Gate Capital after separate bankruptcy filings in 2002 and 2009, operates about 370 stores in the U.S. and Canada.