Vera Bradley says payment system hacked, delaying website upgrade

(Reuters) - Handbag maker Vera Bradley Inc said on Wednesday hackers may have accessed customer data from payment processing systems in its stores, partly contributing to a delay in an upgrade of its website that could hurt holiday-season sales.

The company said hackers may have accessed customer data including card numbers, cardholder names, expiration dates and internal verification codes between July 25 and Sept. 23.

Vera Bradley, which had 112 stores and 44 factory outlets at the end of July, said the delay in the upgrade of its website “could impact its ability to generate positive comparable sales growth” in the fourth quarter ending January.

The company, however, said it did not expect a material impact on earnings-per-share for the quarter or full year.

The exact number of cards affected is unclear, spokeswoman Julia Bentley said in an email. Cards used to shop on the company’s website were not affected.

The FBI alerted the company on Sept. 15 about a “potential data security issue” in its retail network, Bentley said.

The company then launched an investigation that showed hackers had installed a program in the company’s payment processing system that tracked customer data contained in the magnetic stripes of payment cards.

“Vera Bradley has stopped this incident,” the company said, adding that it was working with cyber security firm FireEye Inc’s Mandiant business to improve security.

The company, whose shares fell as much as 3 percent in early trading on Wednesday, said it had postponed the upgrade of its website to focus on improving security. The new website will now be launched in the first quarter of 2017.

Vera Bradley said it expected insurance to cover most of the expenses related to the breach. The company did not provide an estimate on the expenses related to the hack.

The hack is the latest in a series of incidents involving payment processing systems this year.

Burger chain Wendy’s Co reported in July that some customers’ payment card data, including card numbers and other key information, was stolen in a malware attack that affected about 1,025 of its franchised outlets in the United States.

Vera Bradley’s shares were down 0.2 percent in afternoon trading.

Reporting by Abhijith Ganapavaram and Siddharth Cavale in Bengaluru; Editing by Sriraj Kalluvila and Ted Kerr