Hackers skim 5m payment cards from Saks chain
US department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor have fallen victim to a data breach involving the theft of customer payment data.
The stores' parent company Hudsons Bay Corporation disclosed on Sunday that the company had become aware of a breach incident involving payment information at the affected stores.
Cybersecurity company Gemini Advisory said the breach was announced on Wednesday by notorious hacking syndicate JokerStash, also known as Fin7. The syndicate has revealed plans to dump more than 5 million stolen payment cards for sale on the dark web.
Gemini Advisory said the attack appears to have impacted the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations, with the majority of stolen cards obtained from locations in New York and New Jersey.
So far 125,000 records have been released for sale, but the entire cache is expected to be made available in the following months. Preliminary analysis suggests that criminals were siphoning payment information from May 2017 until a few days ago, when Hudsons Bay closed the security hole.
“The theft of five million payment cards is undoubtedly among the most significant credit card heists in modern history, and will negatively affect a large number of consumers in North America [as well as international travellers who have shopped at the stores],” Gemini Advisory said.
“This recent breach once again emphasises the importance of a transition to the more secure EMV POS terminals in retail operations. Although many large retailers managed to migrate entirely from older generation magstripe terminals to EMV in 2017, several nationwide chains still have not done so.”
Hudsons Bay said it plans to notify impacted customers and offer them free identity protection services, including credit and web monitoring. There is no indication that the company’s e-commerce or other digital platforms were affected.
Secure-by-design software development for digital innovation
The rise of DevSecOps methodologies and developments in AI offers every business the opportunity...
Bolstering AI-powered cybersecurity in the face of increasing threats
The escalation of complex cyber risks is becoming a pressing issue for those in business...
How attackers are weaponising GenAI through data poisoning and manipulation
The possibility for shared large language models to be manipulated through data poisoning...
