Saks, Lord & Taylor hacked; 5 million payment cards compromised

Hackers managed to lurk on the network of Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor for nearly a year and steal the payment card data of 5 million customers.

Hackers made off with a whopping 5 million credit and debit card numbers from Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor, placing it “among the most significant credit card heists in modern history.”

Parent company Canada-based Hudson’s Bay Company announced the breach affecting the North American stores on Sunday, saying, “HBC has identified the issue, and has taken steps to contain it.”

HBC disclosed the hack after cybersecurity firm Gemini Advisory revealed that the JokerStash hacking group, aka Fin7, claimed to have 5 million stolen payment card numbers the group intends to sell on the dark web. The group responsible for this hack was also reportedly responsible for hacking “Whole Foods, Chipotle, Omni Hotels & Resorts, Trump Hotels and many more.

Credit card numbers stolen between May 2017 and March 2018

Gemini believes the hackers pwned the retailers’ point-of-sale systems and stole the card numbers between May 2017 and March 2018 from Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor. The hackers likely got malware to infect the systems via phishing emails and then managed to steal the more than 5 million records by quietly sitting on the network for nearly a year.

Gemini added, “It appears that all Lord & Taylor and 83 U.S.-based Saks Fifth Avenue locations have been compromised. In addition, we identified three potentially compromised stores located in Ontario, Canada. However, the majority of stolen credit cards were obtained from New York and New Jersey locations.”

JokerStash hackers are selling the stolen payment records

On Wednesday, JokerStash announced a “brand new breach” called “BIGBADABOOM-2.” The payment record details are being sold in small batches, so banks will have a harder time detecting the stolen card data. The hackers put a small number of compromised records up for immediate sale on the dark web. Of the 125,000 records for sale, Gemini said “approximately 35,000 records” are from Saks Fifth Avenue and “90,000 records” are from Lord & Taylor.

Although HBC promised that affected customers won’t be liable for fraudulent charges, Gemini pointed out that “cardholders who frequently shop at luxury retail chains like Saks Fifth Avenue are more likely to purchase high-ticket items regularly; therefore, it will be extremely difficult to distinguish fraudulent transactions from those of a legitimate nature, allowing criminals to abuse stolen payment cards and remain undetected for a longer period of time.”

In addition to the announcement on the Hudson’s Bay Company site, HBC also posted online notices on Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor, saying the issue was identified and contained so that “it no longer poses a risk to customers shopping at our stores. While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe. We deeply regret any inconvenience or concern this may cause.”

HBC is reportedly working with data security investigators, as well as law enforcement and payment card companies. The company will offer impacted victims free identity protection services.