Hudson’s Bay Co., whose holdings include Saks Fifth Avenue and Lord & Taylor, is the latest retailer to be hit with a data breach.
The department store giant said that it had become aware of “a data security issue involving customer payment card data” at select Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor stores in North America. HBC said that while the investigation is ongoing, there is no indication at the current time that the breach impacted its e-commerce or other digital platforms.
According to a report by cybersecurity firm Gemini Advisory, debit and credit card information was stolen from more than five million customers who shopped in Saks and Lord & Taylor stores, with the majority of stolen credit card data obtained from New York and New Jersey locations. The firm said its preliminary analysis suggested that the hacking took place between May 2017 and the present.
“On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark Web,” Gemini said.
In a statement about the breach, HBC assured customers that they would not be liable for fraudulent charges that may result from the breach.
“HBC has identified the issue, and has taken steps to contain it,” the retailer said. “Once the company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and Web monitoring.”
HBC also said it is working with leading data security investigators to get customers the information they need, and the investigation is ongoing.
“While locale specific attacks like these aren't uncommon, the volume of records is a bit larger than usual, which could be a lead to how long the infection was present before detection,” commented Terry Ray, CTO of Imperva. “The problem organizations have is the actual identification of a breach or infection, especially in a reasonable time-frame. Most attacks are designed to run under the radar and the methods of breach constantly evolve. This requires that cyber security teams have effective funding, adequate staff and vast expertise. Sadly, none of those three are common. Usually, cyber security teams are underfunded, until a breach, then they get a little extra money, their teams are generally small and stretched thin. Given all the areas than can be attacked, security team members need broad technology knowledge which makes them highly desirable in the marketplace, going back to the underfunded point.”
Last year, HBC also made headlines over data protection when it published thousands of customers’ personal information -- including email addresses and phone numbers. However, payment information was not revealed.