In a hack that the New York Times is calling “one of the largest known breaches of a retailer”*, Saks 5th Avenue and Lord and Taylor have had the credit card and debit card information of millions of customers compromised by an ongoing hack that lasted for months before it was terminated a few weeks ago.
Hudson Bay Company (HBC), the parent company to Saks 5th Avenue and Lord & Taylor, first announced the breach on April 1st (always a bad day to announce anything serious unless it is your wish that people will assume – or at least hope – that it’s an April Fool’s joke), saying they had only shut it down the day before (March 31st), but not before it had been going on for 9 months.
And, they didn’t issue a public statement until just last week (which is why you may not have heard about it until now).
In HBC’s statement, issued on April 27th, HBC CEO Helena Foulkes explains that “Based on the investigation to date, we understand that, around July 1, 2017, malware began running on certain point of sale systems at potentially all Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor locations in North America. We have contained the issue and believe it no longer poses a risk to customers shopping at our stores. Not all customers who shopped at the potentially impacted stores during the relevant time period are affected by this issue. We want to reassure affected customers that they will not be liable for fraudulent charges that may result from this matter.”
According to the New York Times, the hack was implemented by “a well-known ring of cybercriminals”, and quoted the security research outfit that identified the breach as saying that the hack was probably made possible “through phishing emails sent to Hudson’s Bay employees.” Foulkes confirms this in her statement.
This all goes to show, again, that the weakest link in an organization’s security is often the human factor – usually employees.
This, by the way, is why we caution people, and especially businesses, to not have email clients display the contact image and ‘friendly names’ of the senders of incoming email, because it lulls them into a false sense that the email is safe, and so they will click on links without even thinking about it.
Says Foulkes, “The malware was designed to collect customers’ payment card information, including cardholder name, payment card number and expiration date. We have no evidence based on the investigation that contact information, Social Security or Social Insurance numbers, driver’s license numbers, or PINs associated with the cards were affected by this issue. The investigation has found that this issue did not affect Saks Fifth Avenue credit cards, which are the 9-digit to 14-digit cards that can be used by customers only when shopping at Saks Fifth Avenue or Saks OFF 5TH.”
Translation: This primarily affected regular credit and debit cards, and not Saks and Lord & Taylor branded credit cards. According to the Saks customer service site, Saks accepts American Express, Visa, MasterCard, Discover, Diners Club, JCB, and CUP Credit cards. Lord & Taylor accepts Visa, MasterCard, Amex, and Discover.
It should be noted that while the NYT is calling this “one of the largest known breaches of a retailer,” we’re not sure what info they may have that they are not disclosing, as in that article they say it may have been 5 million records that were breached in the Saks breach, while in the same article they point out that 40 million card numbers were stolen from Target in 2013 and 56 million card numbers were stolen from Home Depot in 2014.