"While the full extent of the breach has not been verified – and it is possible you were not affected – we wanted to be sure to share with you what we could," it said in the email. "When we began hearing from a few customers about possible fraudulent credit card charges in the middle of October, we launched an investigation. At that time, we did not know a data breach had occurred. However, as the number of these concerns increased in early November, we removed all credit card data from our site on November 11th since it became clearer that, although we couldn’t find a breach, something was going on. Last week we confirmed that an IP address from China was used to hack our website and potentially compromised customer credit card information. As far as we can tell, this did not affect any in store transactions."
Apart from removing credit card data from the site, the company is speeding up the launch of a new website, on which all credit card data will be tokenized through a third party.
Until more is known about the breach, the customers have been advised to check their credit card statements for suspicious transactions and to apply for a free credit report. Also, all customers visiting the site are faced with a request to reset their account password.