In a mandatory filing with the California attorney general this week, J. Crew Group, Inc. disclosed a breach of customer accounts dating back to April 2019.
The filing is brief, but reporting from TechCrunch indicates that under 10,000 accounts were affected by the credential-stuffing-related breach.
As Tech Crunch points out, “a bigger, unanswered question is why it took J. Crew took almost a year to detect and disclose the incident to regulators and customers.” While the company indicated that the breach was discovered during routine web scanning, an overwhelming majority of breaches go undetected by companies.
As a retail company, the potential cyber-financial (CyFi) impacts of the event include:
- Compromised customer data. The most valuable data (and most valuable asset) J. Crew possesses is customer financial and behavioral data. Based on the initial company statement, no financial data was disclosed.
- Ability to maximize profit per inventory. Behavioral data helps J. Crew understand and anticipate what, where, and when the customer wants to buy. This data underpins a company’s ability to personalize an offering. J. Crew monetizes this data and achieves greater efficiency by applying these insights to maximize profit per inventory—a key KPI that can be adversely impacted during a customer data breach of a sizeable scale.
If limited to what the company has stated, this breach will have limited downside financial impact on the company, typical of a customer data loss event. But, the incident indicates a need for management to increase focus on security—even amid a multi-year, cost-optimization program—in order to avoid a repeat performance that could be more damaging. Such an attack could certainly overshadow the rare good news story of Madewell in the lead-up to its IPO this year, a story new J. Crew CEO Jan Singer would likely prefer to tell.
Madewell’s success demonstrates the importance of technology to the current and future growth of the company. This higher-growth division of J. Crew accounts for approximately one-third of sales and owes some of its success to a savvy direct-to-consumer strategy that generates 40 percent of its own sales from e-commerce.