A large retail data breach at Saks Fifth Avenue and Lord & Taylor stores was reported on April 1, and the impact is no joke.
More than 5 million payment cards were allegedly stolen in the data breach, according to security firm Gemini Advisory, which first publicly reported the incident. Gemini Advisory became aware of the breach as early as March 28, when a hacker group listed a cache of stolen credit cards for sale in a dark web forum. Analysis of the stolen payment cards by Gemini Advisory in cooperation with several financial institutions identified Saks Fifth Avenue and Lord & Taylor stores as the source for the cards, which has been confirmed by the retail stores’ parent company, Hudson’s Bay Company (HBC).
“HBC (TSX:HBC) today announced that it has become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America,” HBC stated in a press release. “While the investigation is ongoing, there is no indication at this time that this affects the Company’s e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe.”
Gemini Advisory’s analysis estimates that the HBC-owned stores were compromised somewhere around May 2017. In addition, the security firm suspects that 83 Saks Fifth Avenue stores and all Lord & Taylor locations were compromised in the data breach. HBC has not yet publicly confirmed or denied the length of time the Lord & Taylor and Saks retail systems were compromised, or which specific stores were breached.
“We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores,” HBC stated.
While payment card information was stolen and is now being offered for sale by hackers, HBC has stated that Social Security or Social Insurance numbers, driver’s license numbers, and payment card PINs were not part of the data breach.
Gemini Advisory has alleged that the cyber-attacker group known as JokerStash is behind the sale of the stolen payment cards. The same group has been linked to multiple retail breaches in recent years, including the breaches of grocery chain Whole Foods and Chipotle restaurants in 2017.
JokerStash has not released its entire cache of payment cards stolen from Saks and Lord & Taylor yet. According to Gemini Advisory, currently only 90,000 Lord & Taylor and 35,000 Saks Fifth Avenue compromised records have been offered for sale to date.
While attackers potentially can use the stolen payment cards, HBC stated that customers won’t be liable for fraudulent charges that come as a result of the data breach.
“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” HBC stated. “We encourage our customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.