Saks, Lord & Taylor hit by payment card data breach
Send a link to a friend
 [April 02, 2018]
By Jim Finkle and David Henry
TORONTO/NEW YORK (Reuters) - Retailer
Hudson's Bay Co on Sunday disclosed that it was the victim of a security
breach that compromised data on payment cards used at Saks and Lord &
Taylor stores in North America.
One cyber security firm said that it has evidence that millions of cards
may have been compromised, which would make the breach one of the
largest involving payment cards over the past year, but added that it
was too soon to confirm whether that was the case.
Toronto-based Hudson's Bay said in a statement that it had "taken steps
to contain" the breach but did not say it had succeeded in confirming
that its network was secure. It also did not say when the breach had
begun or how many payment card numbers were taken.
“Once we have more clarity around the facts, we will notify our
customers quickly and will offer those impacted free identity protection
services, including credit and web monitoring,” the statement said.
A company spokeswoman declined to elaborate.
The breach comes as Hudson's Bay struggles to improve its financial
performance as a tough retail environment has weighed on sales and
margins. Last June, it launched a transformation plan to cut costs and
is working to monetize the value of its substantial real estate
holdings.
Hudson's Bay disclosed the incident after New York-based cyber security
firm Gemini Advisory reported on its blog that Saks and Lord & Taylor
had been hacked by a well-known criminal group known as JokerStash.
JokerStash, which sells stolen data on the criminal underground, on
Wednesday said that it planned to release more than 5 million stolen
credit cards, according to Gemini Chief Technology Officer Dmitry
Chorine.
The hacking group has so far released about 125,000 payment cards, about
75 percent of which appear to have been taken from the Hudson's Bay
units, Chorine told Reuters by telephone.
[to top of second column] |
The Lord & Taylor flagship store building is seen along Fifth Avenue
in the Manhattan borough of New York City, U.S., October 24, 2017.
REUTERS/Shannon Stapleton
The bulk of the 5 million card numbers that JokerStash said it plans to release
are likely from Saks and Lord & Taylor, but it is too early to say for sure,
Chorine said.
"It’s hard to assess at the moment, primarily because hackers have not released
the entire cards in one batch," he told Reuters.
Alex Holden, chief information security officer with cyber security firm Hold
Security, confirmed that the 125,000 cards had been released by JokerStash but
said it was too soon to estimate how many had been taken from Hudson's Bay.
If in fact millions of records were stolen, the breach would be one of the
largest involving payment cards in the past year, but it would still be far
smaller than any of the biggest thefts on record, which occurred a decade ago.
Hackers stole more than 130 million credit cards from credit-card processor
Heartland Payment Systems, convenience store operator 7-Eleven Inc and grocer
Hannaford Brothers Co, from 2006 to 2008, according to U.S. federal
investigators.
Cyber criminals stole some 40 million payment cards in a 2013 hack on Target
Corp and 56 million from Home Depot Inc in 2014.
Hudson's Bay said there is no indication its recent breach involved online sales
at Saks and Lord & Taylor outlets or its Hudson’s Bay, Home Outfitters and HBC
Europe units.
The company said that customers will not be liable for fraudulent charges
resulting from the breach.
(Reporting by Jim Finkle in Toronto and David Henry in New York; Editing by Bill
Rigby and Steve Orlofsky)
[© 2018 Thomson Reuters. All rights
reserved.] Copyright 2018 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
