The credit card information of as many as five million Saks Fifth Avenue, Saks Off 5th and Lord & Taylor shoppers have been compromised over the last year but the parent company says that it has identified the issue, taken steps to contain it and that customers won’t be liable for any fraudulent charges that occur as a result of the data breach.
“The disclosure came after New York-based security firm Gemini Advisory LLC revealed on Sunday that a hacking group known as JokerStash or Fin7 began boasting on dark websites last week that it was putting up for sale up to 5 million stolen credit and debit cards. The hackers named their stash BIGBADABOOM-2. While the extent of its holdings remains unclear, about 125,000 records were immediately released for sale,” reports Matt O’Brien for the Associated Press.
“The theft is one of the largest known breaches of a retailer and shows just how difficult it is to secure credit-card transaction systems despite the lessons learned from other large data breaches, including the theft of 40 million card numbers from Target in 2013 and 56 million card numbers from Home Depot in 2014. Last year, Equifax, a credit reporting firm, disclosed that sensitive financial information on 145.5 million Americans had been exposed in a breach of the company’s systems,” observe Vindu Goel and Rachel Abrams for the New York Times.
Dmitry Chorine, Gemini Advisory’s co-founder and chief technology officer, tells the AP’s O’Brien that it’s likely the hack began last year and is a departure from its previous targets of hotel and restaurant chains.
“Chorine said the hackers’ typical method is to send cleverly crafted phishing emails to company employees, especially managers, supervisors and other key decision-makers. Once an employee clicks on an attachment, which is often made to look like an invoice, the system gets infected,” O’Brien writes.
A spokesman for Brampton, Ont.-based Hudson’s Bay Co. tells the Wall Street Journal’s Robert McMillan and Suzanne Kapner that it “doesn’t believe Social Security or driver’s license numbers have been compromised” and that “there was no indication at this time that the breach affected its e-commerce operations, or other store brands it owns, including the Hudson’s Bay department-store chain in Canada or Galeria Kaufhof in Germany.”
“Some were cards that were used by card owners as recently as last month in one of the affected stores,” says Gemini Advisory’s Chorine.
“After previous breaches, the JokerStash group has released credit-card data in smaller batches, to avoid flooding the market for illegally obtained payment credentials, Mr. Chorine said,” write McMillan and Kapner.
Gemini Advisory said “that it had found data that had been stolen from as early as March 2017,” according to a Canadian Press story in the Toronto Star.
“[Chorine] said that only certain Saks Fifth Avenue locations were affected because the outlet was in the process of switching from card-swipe technology to EMV chip technology, which is already commonly used in Canada. Stores that had already implemented chip machines would likely not be exposed to the data breach, Chorine said,” the Canadian Press story continues.
“It’s not the first time Hudson’s Bay has run into trouble over data protection. The company published thousands of customers’ personal information — including email addresses and phone numbers — last year. In that instance, payment data was not exposed, a spokeswoman said at the time,” Bloomberg’s Rachel Evans reports.
“Alex Holden, chief information security officer with cyber security firm Hold Security, confirmed that the 125,000 cards had been released by JokerStash but said it was too soon to estimate how many had been taken from Hudson’s Bay,” report Reuters’ Jim Finkle and David Henry. “If in fact millions of records were stolen, the breach would be one of the largest involving payment cards in the past year, but it would still be far smaller than any of the biggest thefts on record, which occurred a decade ago.
“Hackers stole more than 130 million credit cards from credit-card processor Heartland Payment Systems, convenience store operator 7-Eleven Inc and grocer Hannaford Brothers Co, from 2006 to 2008, according to U.S. federal investigators.”
That’s an interesting factoid that, of course, will be no comfort whatsoever to those bada-boomed by the latest breach.