Hudson’s Bay Co. has a handle on its previously announced data breach — an incident that its investigation revealed lasted nine months.
The department store retailer reported
earlier this month that its Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores became the targets of a security breach. New details from the company’s investigation revealed that the attack began as early as July 1, 2017.
The breach has been contained since March 31, and “no longer poses a risk to customers shopping at its stores,” according to the company.
HBC’s investigation revealed that the breach was caused by malware installed on certain point-of-sale systems at potentially all Saks Fifth Avenue, Saks Off 5th and Lord & Taylor locations in North America. The malware was designed to collect customers’ payment card information, including cardholder names, payment card numbers and expiration dates.
There is no evidence that contact information, Social Security or Social Insurance numbers, driver’s license numbers, or PINs associated with the cards were pilfered. Saks Fifth Avenue credit cards were also not compromised.
Not all customers who shopped at the impacted stores during the breach were affected by the cyber-attack. The incident did not impact the company’s e-commerce or other digital platforms, or Hudson’s Bay, Home Outfitters, or HBC Europe, according to HBC.
As soon as HBC became aware of a potential issue, the company quickly engaged data security experts to conduct an investigation. HBC also has been working with law enforcement authorities to address this criminal activity, and has been coordinating with the payment card companies.
“Our customers are our top priority and we take the protection of their information very seriously,” said HBC CEO Helena Foulkes. “We deeply regret any concern this issue may have caused. Throughout this process, we have made it our goal to work quickly to provide support and information to our customers and we will continue to serve them with that same dedication.”
Going forward, HBC is offering impacted customers with free identity protection services, including credit and Web monitoring. The retailer has also established a dedicated call center for customers to obtain more information about the breach. Customers are also encouraged to review their account statements and contact their card issuer immediately if they identify an unauthorized charges.