Canadian firm Hudson Bay, which owns both retailers, said it has “identified the issue and taken steps to contain it.” As in other high profile breaches, the parent company said it will notify its customers and offer free identity protection services. So far, Hudson hasn’t said how many customer accounts or stores were affected. It is thought that the hackers installed the malicious code by leveraging information gathered in phishing emails sent to Hudson Bay’s employees.
Here’s what’s known so far:
- The JokerStash gang, aka Fin7, did it, according to a New York-based cyber security firm Gemini Advisory blog post. JokerStash’s notable heists include Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels.
- The cyber attack hit all 83 Saks locations and 51 Lord & Taylor outlets. It’s possible three stores in Ontario, Canada have also been compromised.
- On March 28, JokerStash announced a new records dump. As of Sunday, about 125,000 cards -- 35,000 from Saks and 90,000 from Lord & Taylor -- had been offered for sale on the black market. Most of the stolen cards belong to shoppers in New York and New Jersey.
- Gemini said it expects all five million bank cards will be dribbled out there over the next few months so as to not saturate the market.
This case adds to the growing number of large-scale payment card thefts, including the 40 million records taken in the Target breach in 2013 or the Home Depot attack in which 56 million card numbers ended up in the wrong hands.
“With the declared number of compromised payment cards being in excess of five million, the current hacking attack is amongst the biggest and most damaging to ever hit retail companies,” Gemini said. In terms of number of stolen records, however, it does not rank with the non-retail colossal data hacks of Yahoo and Equifax that affected hundreds of millions of customers.
Crooks in the Saks and Lord & Taylor burglary evidently used similar tactics as those in the Target and Home Depot attacks -- once inside the networks there wasn’t any resistance to bar them from a clear path to every cash register.
“This recent breach once again emphasizes the importance of a transition to the more secure EMV POS terminals in retail operations,” Gemini said. “Although many large retailers managed to migrate entirely from older generation magstripe terminals to EMV (chip card authentication) in 2017, several nationwide chains still have not done so.”
Added Sophos Principal Research Scientist Chet Wisniewski:
As long as stores continue to insecurely process card data, criminals will be there waiting to steal it. It is crucial that your card contain the latest security features including the EMV chip on the front that should be used for retail transactions. HBC has stated they had deployed EMV readers to all Saks stores before the breach, but it is unclear why they were not used. Where possible consumers should use Google Pay or Apple Pay as the most secure options to prevent payment fraud, followed by inserting the card in the chip reader or tap-to-pay with their cards. You should no longer use your card where they require a "swipe" as it is unsafe. Lastly, cash is always an option."
Cyber hacks on point-of-sale machinery have slid from 45 percent of overall breaches in 2011 to slightly less than seven percent, according to the Verizon 2017 Data Breach Investigations report (via USA Today). In this instance, however, the potential damage to cardholders in the Saks and Lord & Taylor hack could be greater than in other retail thefts, Gemini said (via the New York Times). Cardholders who frequent luxury retail chains are more likely to purchase high-ticket items regularly, making it more difficult for the fraud units of banks to identify and distinguish bogus transactions from legitimate purchases, the security specialist said. That could enable stolen cards to stay active longer.