David’s Bridal over the weekend confirmed it notified 4,132 Texans of a data breach that compromised customers’ and employees’ names, Social Security numbers, medical information, health insurance information, addresses, and driver’s license numbers, according to the state Attorney General.
Two ransomware gangs claimed responsibility for breaches at David’s Bridal: LockBit in January 2024 and Werewolves in February 2024. It’s possible that both groups exploited the same vulnerability to access the data. Werewolves demanded $850,000 in ransom. The ransom deadlines set by the groups have both since lapsed.
David’s Bridal has not verified either group’s claim. We do not yet know how many people are affected by the breach outside of Texas, whether David’s Bridal paid a ransom, how much money the groups demanded, or how attackers breached the company’s network.
Comparitech contacted David’s Bridal for comment and will update this article if it responds.
The company is facing at least two class-action lawsuits for failing to protect the personal information of employees and customers. The lawsuits say David’s Bridal didn’t do enough to secure data following the first ransomware attack by LockBit, and failed to notify affected individuals in a timely manner.
Who is LockBit?
LockBit is one of the most prolific ransomware gangs of the decade. It’s responsible for several high-profile attacks on targets such as Boeing, Change Healthcare, Oracle, Evolve Bank and Trust, McCamish Infosys, and several local governments and schools.
LockBit claimed 66 confirmed ransomware attacks so far in 2024, affecting more than 8 million records. One of its biggest attacks on the retail sector was on Canadian company London Drugs, in which LockBit demanded $25 million. London Drugs reportedly countered with an $8 million offer.
We’ve logged another 421 ransomware attacks claimed by LockBit this year, but that haven’t been confirmed by the targets.
Who are Werewolves?
The attack on David’s Bridal is the first of 2024 for Werewolves. In 2023, we only recorded one confirmed attack on the Agency for Electronic Communications in Macedonia, for which it demanded $76,000 in ransom. The Macedonian government refused to pay it.
Another three attacks were claimed by Werewolves but not confirmed by victims in 2024. The group has been relatively quiet since March following 20 unconfirmed claims in December 2024.
Ransomware attacks on US retail
In addition to data theft, ransomware attacks on retail companies can disrupt day-to-day operations such as orders, email, phone systems, billing, and payroll. Targets are coerced into paying a ransom for keys to restore affected systems, and/or for not selling or publishing stolen data.
Comparitech researchers recorded 13 attacks on US retail companies so far in 2024, affecting 220,000 records. Some of the biggest such attacks include those on MarineMax (123,494 records) and My Daily Choice (89,188 records).
Another 71 ransomware attacks on US retail companies in 2024 were claimed but not confirmed.
About David’s Bridal
David’s Bridal makes wedding dresses and other formal clothing for weddings. It sells more than a quarter of all the wedding dresses purchased in the US, employs 12,000 people, and operates 195 stores in the US, Canada, and UK. In January 2023, the company launched Pearl, a wedding planning app. In July 2023, David’s Bridal was acquired by CION Investment Corporation.