Shopping Cart0item(s)

Empty Cart

Product was successfully added to your shopping cart.
5

NOTICE OF DATA BREACH

July 18, 2016

Message to Our Valued Customers:

We recently became aware of a computer intrusion that affected checkout systems at a number of San Antonio Shoemakers retail stores in the United States and our customer service center which accepts telephone orders. Promptly after discovering the issue, we engaged outside cybersecurity experts to conduct an extensive investigation. We have been working closely with law enforcement authorities and coordinating our efforts with the payment card organizations to determine the facts.

We sincerely regret any inconvenience and concern that this incident may cause. We want to assure you that protecting the security of our customers’ payment card information is a top priority for San Antonio Shoemakers, and we are taking this situation very seriously, from our executive team down. In order to minimize any impact on our customers, we are providing twenty-four months of identity protection to affected customers (details provided below).

What Happened and What Information Was Involved:

On or about June 8, 2016, we discovered that the checkout systems used by a number of our retail stores in the United States and our customer service center were infected with a type of malicious software, or “malware,” enabling unauthorized parties to access payment card data of some of our customers. A list of affected locations can be found here.

Based on the investigation, we have determined the following:

  • The attack potentially put at risk payment cards used in purchases made at certain San Antonio Shoemakers retail stores and through our customer service center between the dates of April 21, 2016, the earliest date when the malware was installed on any system, and June 13, 2016, by which time the malware was removed from all affected systems.
  • The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date.
  • There is no evidence that other types of customer data, such as contact information, Social Security numbers (which San Antonio Shoemakers never collects) or PINs, were affected by this issue.

What We Are Doing:

We want you to know that San Antonio Shoemakers has taken steps to secure its systems and that the malware no longer presents a threat to customers using payment cards at our stores. Further, we have no indication that our online store was affected by this malware attack.

What You Can Do:

You are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 1-877-322-8228. We encourage you to remain vigilant by reviewing your account statements and monitoring your free credit reports. If you believe your payment card may have been affected, please contact your bank or card issuer immediately. The U.S. Federal Trade Commission provides further guidance on steps you can take to protect your personal information, which you can access online at https://www.identitytheft.gov.

As an added precaution, we have arranged to have AllClear ID protect your identity for twenty-four months at no cost to you. The following identity protection services start on the date of this notice, and you can use them at any time during the next twenty-four months:

  • AllClear Identity Repair: This service is automatically available to you with no enrollment required. If a problem arises, simply call 1-855-422-7189 and a dedicated investigator will help recover financial losses, restore your credit and make sure your identity is returned to its proper condition.
  • AllClear Identity Theft Monitoring: This service offers additional layers of protection including identity theft monitoring that delivers secure, actionable alerts to you by phone and $1 million identity theft insurance coverage. To use this service, you will need to provide your personal information to AllClear ID. You may sign up online at https://SASshoes.allclearid.com or by phone by calling 1-855-422-7189.
  • Please note: Additional steps may be required by you in order to activate your phone alerts and monitoring options.

For More Information:

Below you will find some steps that you can take to protect your identity. We encourage you to review these steps and take appropriate action to help prevent any misuse of your information.

If you have any questions about this incident or would like more information about these services, please call 1-855-422-7189 between 8:00 a.m. and 8:00 p.m., Central Time, Monday through Saturday (excluding national holidays).

Other Important Information

We recommend that you regularly review statements from your accounts and periodically obtain your credit report from one or more of the national credit reporting companies. You may obtain a free copy of your credit report online at www.annualcreditreport.com, by calling toll-free 1-877-322-8228, or by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. You may also purchase a copy of your credit report by contacting one or more of the three national credit reporting agencies listed below.

  • Equifax: P.O. Box 740241, Atlanta, Georgia 30374-0241, 1-800-685-1111, www.equifax.com
  • Experian: P.O. Box 9532, Allen, TX 75013, 1-888-397-3742, www.experian.com
  • TransUnion: P.O. Box 1000, Chester, PA 19022, 1-800-888-4213, www.transunion.com

When you receive your credit reports, review them carefully. Look for accounts or creditor inquiries that you did not initiate or do not recognize. Look for information, such as home address and Social Security number, that is not accurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.

We recommend you remain vigilant with respect to reviewing your account statements and credit reports, and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities, including local law enforcement, your state’s attorney general and/or the Federal Trade Commission (“FTC”). You may contact the FTC or your state’s regulatory authority to obtain additional information about avoiding identity theft.

  • Federal Trade Commission, Consumer Response Center
    600 Pennsylvania Avenue, NW, Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft
  • For residents of Maryland and Rhode Island: You may also obtain information about preventing and avoiding identity theft from the Attorney General of your state:
    • Maryland Office of the Attorney General, Consumer Protection Division
      200 St. Paul Place, Baltimore, MD 21202, 1-888-743-0023, www.oag.state.md.us
    • Rhode Island Office of the Attorney General, Consumer Protection Unit
      150 South Main Street, Providence, RI 02903, 1-401-274-4400, www.riag.ri.gov
  • For residents of Massachusetts and Rhode Island: You also have the right to obtain a police report.
  • For residents of North Carolina: You may also obtain information about preventing and avoiding identity theft from the North Carolina Attorney General’s Office:
    • North Carolina Attorney General’s Office, Consumer Protection Division
      9001 Mail Service Center, Raleigh, NC 27699-9001, 1-877-5-NO-SCAM, www.ncdoj.gov

Fraud Alerts: There are also two types of fraud alerts that you can place on your credit report to put your creditors on notice that you may be a victim of fraud: an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for at least 90 days. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years. You can place a fraud alert on your credit report by calling the toll-free fraud number of any of the three national credit reporting agencies listed below.

  • Equifax: 1-888-766-0008, www.equifax.com
  • Experian: 1-888-397-3742, www.experian.com
  • TransUnion: 1-800-680-7289, fraud.transunion.com

Credit Freezes (for Residents Not of Massachusetts or Rhode Island): You may have the right to put a credit freeze, also known as a security freeze, on your credit file, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze. A credit freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a credit freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a credit freeze may delay your ability to obtain credit. In addition, you may incur fees to place, lift and/or remove a credit freeze. Credit freeze laws vary from state to state. The cost of placing, temporarily lifting, and removing a credit freeze also varies by state, generally $5 to $20 per action at each credit reporting company. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company. Since the instructions for how to establish a credit freeze differ from state to state, please contact the three major credit reporting companies as specified below to find out more information:

  • Equifax: P.O. Box 105788, Atlanta, GA 30348, www.equifax.com
  • Experian: P.O. Box 9554, Allen, TX 75013, www.experian.com
  • TransUnion, LLC: P.O. Box 2000, Chester, PA, 19022-2000, freeze.transunion.com

You can obtain more information about fraud alerts and credit freezes by contacting the FTC or one of the national credit reporting agencies listed above.

Credit Freezes (for Massachusetts and Rhode Island Residents): You have the ability to place a security freeze on your consumer reports. A security freeze is designed to prevent credit, loans and services from being approved in your name without your consent. Using a security freeze, however, may delay your ability to obtain credit. You may request that a freeze be placed on your credit report by sending a request to a credit reporting agency by certified mail, overnight mail or regular stamped mail to the address below:

  • Equifax: P.O. Box 105788, Atlanta, GA 30348, www.equifax.com
  • Experian: P.O. Box 9554, Allen, TX 75013, www.experian.com
  • TransUnion, LLC: P.O. Box 2000, Chester, PA, 19022-2000, freeze.transunion.com

Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company. The following information should be included when requesting a security freeze (documentation for you and your spouse must be submitted when freezing a spouse’s credit report): full name, with middle initial and any suffixes; Social Security number; date of birth (month, day and year); current address and previous addresses for the past five (5) years; and applicable fee (if any) or incident report or complaint with a law enforcement agency or the Department of Motor Vehicles. The request should also include a copy of a government-issued identification card, such as a driver’s license, state or military ID card, and a copy of a utility bill, bank or insurance statement. Each copy should be legible, display your name and current mailing address, and the date of issue (statement dates must be recent). The credit reporting company may charge a reasonable fee of up to $5 to place a freeze or lift or remove a freeze, unless you are a victim of identity theft or the spouse of a victim of identity theft, and have submitted a valid police report relating to the identity theft to the credit reporting company.

Frequently Asked Questions

  1. What happened?
    • We became aware of a potential computer intrusion affecting certain San Antonio Shoemakers locations. Promptly after discovering the issue, we engaged outside cybersecurity experts to conduct an extensive investigation. Based on the investigation, we discovered that the checkout systems used by a number of San Antonio Shoemakers retail stores in the United States and our customer service center were infected with a type of malicious software, or “malware.” We have no indication that our online store or any corporate systems were affected.
  2. What did San Antonio Shoemakers do when it discovered the issue?
    • Promptly after discovering the issue, we engaged outside cybersecurity experts to conduct an extensive investigation. We also have been working closely with law enforcement authorities and coordinating our efforts with the payment card organizations to determine the facts. Upon the written request of the United States Attorney’s Office for the Southern District of New York and the New York Electronic Crimes Task Force of the United States Secret Service, we delayed notifying individuals potentially affected by this incident for 30 days while law enforcement began their investigation.
  3. What information may have been compromised?
    • The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. There is no evidence that other types of customer data, such as contact information, Social Security numbers (which we never collect) or PINs, were affected by this incident.
  4. Which stores were affected by this incident, and during what time period?
    • A list of affected locations can be found here. Customers who used a payment card at any of these locations between April 21, 2016—the earliest date when the malware was installed on any system—and June 13, 2016—by which time the malware was removed from all affected systems—are potentially at risk from this incident. We have no indication that our online store was affected.
  5. Has the intrusion been contained?
    • Yes. The malware involved in this incident has been removed from all affected systems.
  6. Is it safe to use a payment card at San Antonio Shoemakers stores?
    • Yes. The malware no longer presents a threat to customers using payment cards at our retail stores or through the customer service center.
  7. Is my payment card information affected?
    • We are sending individual notices to potentially affected customers for whom we have a street address or email address on file.

      However, because we do not maintain contact information for all of our customers, San Antonio Shoemakers cannot identify every individual affected. If you used a payment card at any of the locations listed here during the time period from April 21, 2016 to June 13, 2016, then your payment card information was potentially put at risk from this incident. Therefore, please refer to your payment card statements to see if you used a card at one of the affected locations during the relevant time period.
  8. What should I do to help protect my information?
    • If you see any unusual activity on your payment card account statements or otherwise believe your payment card has been compromised, you should immediately contact your bank or card issuer. We encourage you to review your account statements and monitor your free credit reports. Under U.S. law, you are entitled to one free credit report annually from each of the three national credit bureaus.

      To order your free credit report, visit www.annualcreditreport.com or call toll free at 1-877-322-8228. For more information about steps you can take to protect your credit files, you can contact any one of the consumer reporting agencies at:
      • Equifax
        1-800-525-6285
        www.equifax.com
      • Experian
        1-888-397-3742
        www.experian.com
      • TransUnion
        1-800-680-7289
        www.transunion.com
      • In addition, we have arranged with AllClear ID to offer identity protection services to potentially affected customers for two years at no cost to them.
      • The U.S. Federal Trade Commission provides further guidance on steps individuals can take to protect their personal information, which can be accessed online at https://www.identitytheft.gov.
  9. How do I find out more about the identity protection services being offered?
    • We have arranged with AllClear ID to offer identity protection services to potentially affected customers for twenty-four months at no cost to them. For more information about these services, please visit https://SASshoes.allclearid.com or call 1-855-422-7189 between 8:00 a.m. and 8:00 p.m., Central Time, Monday through Saturday (excluding national holidays).
  10. Where can I get more information?
    • If you have any questions or would like additional information regarding this incident, please call 1-855-422-7189 between 8:00 a.m. and 8:00 p.m., Central Time, Monday through Saturday (excluding national holidays).
  11. Will my local San Antonio Shoemakers retail store be able to answer my questions or help me with the AllClear ID services?
    • To minimize impact on our customers and provide them with the most effective assistance available, we have arranged with AllClear ID so that dedicated personnel who are knowledgeable about this issue will be available to assist our customers as needed. If you have any questions or would like additional information regarding the incident, please call 1-855-422-7189 between 8:00 a.m. and 8:00 p.m., Central Time, Monday through Saturday (excluding national holidays).
  12. What personal information does San Antonio Shoemakers maintain regarding its customers?
    • San Antonio Shoemakers maintains contact information (which may include street address, phone number, or email address) for customers who choose to provide such information at checkout. There is no indication that such contact information was affected by this incident.

      San Antonio Shoemakers does not store customer payment card information after a transaction is processed. The malware involved in this incident was designed to capture payment card information during the processing of transactions.