You'll never Guess whose data has been nicked as US fashion firm confirms systems breach

Updated Fashion brands Guess and Spread Group have confirmed data breaches in which crooks walked off with US Social Security Numbers (SSNs), contracts, passwords, payment details, and more.

The two companies were breached in separate attacks earlier this year, statements released by both confirmed, with a range of personal data leaked as a result. Guess warned that SSNs, driving licence numbers, passport numbers, and financial account numbers of "certain individuals" had been obtained by the attackers; Spread Group, meanwhile, saw a somewhat wider breach leaking hashed passwords, payment details, and contract information for both customers and suppliers.

"Spread Group was the target of an organised cyber-attack which was carried out with considerably vicious criminal intent," the company said in a statement. "The unidentified perpetrators managed to break through the company's high security standards and access internal data, including the addresses and contractual data of customers, partners, employees, and external suppliers.

"Also affected are the payment details of a small number of customers who made payments to Spreadshirt, Spreadshop or TeamShirts via bank transfer, or who have received a refund via bank transfer. According to the latest information from our investigations, the bank details of any other customers were not saved on any of the hacked servers. In addition, the bank account numbers and PayPal addresses of partners who have received commission payments from Spread Group were also affected."

Spread Group claimed that the attack did not affect its day-to-day operations, but we found its sites are more than a little glitchy. The Register observed repeated attempts to change the password or delete outright an account identified as being affected by the breach, none of which were successful – while the company's understandably busy support staff were unavailable to assist.

• Oi! Our British Airways data breach compo sueball is still going, shouts rival law firm
• Report shines light on REvil's depressingly simple tactics: Phishing, credential-stuffing RDP servers... the usual
• UK arm of international charity the Salvation Army hit by ransomware attack
• Fashion titan French Connection says 'FCUK' as REvil-linked ransomware makes off with data

The company confirmed that "password hashes saved before 2014" were leaked as part of the breach, indicating that it was at least storing passwords in an irreversible but potentially vulnerable to brute-force format – but did not answer our question as to whether it was storing the remainder of its customers' and suppliers' data in an encrypted form.

In a letter sent to parties affected by the breach at Guess, obtained and uploaded by Sergiu Gatlan of BleepingComputer, the company claimed to have "notified law enforcement" and "implemented additional measures to enhance our security protocols" following the discovery of the intrusion earlier this year.

Guess has also offered those contacted a year's membership in the Experian IndentityWorks fraud-monitoring service – something Spread Group does not appear as keen to bankroll.

The attacks follow a breach linked to the REvil ransomware-as-a-service group against fashion giant French Connection, in which internal company data – but not, the company claimed, customer information – including scans of passports belonging to senior staff members, were exfiltrated and offered for sale.

Guess was invited to comment on the breach, but had not responded at the time of publication. ®

Updated to add

"Guess recently concluded an investigation into a security incident that involved unauthorized access to certain systems on Guess's network," a spokesperson told The Register.

"We engaged independent cybersecurity firms to assist in the investigation, notified law enforcement, notified the subset of employees and contractors whose information was involved and took steps to enhance the security of our systems.

"The investigation determined that no customer payment card information was involved. This incident did not have a material impact on our operations or financial results."