Lord & Taylor and Saks Data Breaches Affect 5M Customers

As per reports, massive data breaches that happened at Saks Fifth Avenue and at Lord & Taylor have affected almost five million customers, whose data might have been compromised. Reports even say that the stolen data is all set to be sold on the dark web.

The Wall Street Journal reports- “Hackers breached the payment systems of Saks Fifth Avenue and Lord & Taylor department stores and stole credit card information for millions of shoppers, the latest in a series of intrusions that have exposed security gaps in corporate networks…Hackers claim they have five million credit card and debit card numbers from the stores and have been releasing them for sale on the “dark web,” a network of websites used by hackers and others to anonymously share information, according to Gemini Advisory LLC, ”

Gemini Advisory LLC, the cyber security research firm that has brought the hacks to light, reports- “On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web”, and adds- “Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores.”

Preliminary analysis, as per Gemini Advisory LLC, suggests that the hackers were carrying out the breach from May 2017 onwards. Gemini Advisory LLC reports- “Although at this moment it is close to impossible to ascertain the exact window of compromise, the preliminary analysis suggests that criminals were siphoning the information between May 2017 to present. Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised. The majority of stolen credit cards were obtained from New York and New Jersey locations.”

Hudson’s Bay Company, the Canadian corporation that owns both Saks Fifth Avenue and Lord & Taylor, has confirmed the breach. A statement issued by the company says- “We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores. While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe. We deeply regret any inconvenience or concern this may cause.”

The statement addresses the customers directly and states- “We wanted to reach out to our customers quickly to assure them that they will not be liable for fraudulent charges that may result from this matter. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring. We encourage our customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize. ”

The inference is that the breach has been executed by sending phishing emails to retail employees. New York Times reports- “Although it’s unclear exactly how the malware was installed in the stores’ checkout systems, Gemini said it was most likely through phishing emails sent to Hudson’s Bay employees. ”

As per reports, the full scope of the data breach is yet to be assessed as the hackers have not released the entire card data in one batch. It’s also reported that there is no indication that the breach has impacted online sales records at Saks and Lord & Taylor outlets.

New York Times has made a very interesting observation in its report of the breach; the report states- “The theft is one of the largest known breaches of a retailer and shows just how difficult it is to secure credit-card transaction systems despite the lessons learned from other large data breaches, including the theft of 40 million card numbers from Target in 2013 and 56 million card numbers from Home Depot in 2014. Last year, Equifax, a credit reporting firm, disclosed that sensitive financial information on 145.5 million Americans had been exposed in a breach of the company’s systems.”