Cybercriminals who ran off with info on five million debit and credit cards from Saks Fifth Avenue (including its discount brand) and Lord & Taylor databases appear to be preparing to sell them on the dark web, according to a Sunday report from Gemini Advisory.
The majority of the stolen payment cards were taken from stores in New York and New Jersey, though as Engadget noted, three Canadian stores in Toronto, Brampton, and Pickering could have been targeted. Gemini wrote that “the preliminary analysis suggests that criminals were siphoning the information between May 2017 to present.” They added a group named Fin7, which markets stolen credit information on a hub called Joker’s Stash that reportedly advertises millions of stolen cards, is currently listing 125,000 of the stolen accounts for sale but more will likely be released in coming months.
Hudson’s Bay Company, which owns the chains in questions, confirmed the breach on Sunday. It wrote in a statement that customers would not be held liable for any charges, will offer free identity protection services to those affected once the situation has “more clarity around the facts,” and has “taken steps to contain” the scope of the breach. According to the New York Times, the card data was likely obtained by sending phishing emails to retail employees. The Wall Street Journal wrote that many retailers have tried to prevent similar breaches by switching to a computer chip-authenticated form of payment called EMV, though Hudson’s Bay said that EMV had been installed in all of the affected brands by February 2017.
The full scope of the breach is “hard to assess at the moment, primarily because hackers have not released the entire cards in one batch,” Gemini Chief Technology Officer Dmitry Chorine told Reuters. The news agency also reported that Hudson’s Bay said there is no indication the breach involves online sales records at “Saks and Lord & Taylor outlets or its Hudson’s Bay, Home Outfitters, and HBC Europe units.”
The breach is not among the largest in history—hackers have stolen data on hundreds of millions of cards from businesses as varied as credit-card processors to 7-Eleven Inc., Target and Home Depot, not to mention last year’s horrific Equifax breach—but it may prove to be particularly bad. Gemini wrote since it involves luxury brands with customers who “are more likely to purchase high-ticket items regularly,” many of whom are international travelers, they expect a “significant surge in fraudulent in-person purchases in the coming months, which will explicitly affect foreign banks.”
The hit to the brands’ reputations may also be significant. A BuzzFeed investigation in 2017 found that many of Saks Fifth Avenue’s customer records (not including payment info) were stored in plain text on publicly accessible servers. Per the Times, Hudson Bay Company lost its CEO before last year’s holiday season. The paper wrote its stock has fallen in recent years as retail sales declined, and some of its brands now derive much of their worth from the value of their real estate properties.