Hackers steal payment card data of 5 million Saks, Lord & Taylor customers

Hackers have apparently managed to compromise the cash register systems at Saks Fifth Avenue and Lord & Taylor stores in the US and Canada, and have stolen payment card data of some five million customers, a cybersecurity research firm has revealed on Sunday.

What happened?

“On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web. Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores,” the company shared.

“Although at this moment it is close to impossible to ascertain the exact window of compromise, the preliminary analysis suggests that criminals were siphoning the information between May 2017 to present.”

The first indication that a breach might have happened was when the hackers offered a batch (around 125,000) of the stolen credit cards for sale on the dark web.

“Considering the rather standard practice of marketplace operators in releasing stolen data gradually in order to avoid oversaturation of the market and to minimize the chances of identification of stolen records by the banks, it will take at least several months before the entire archive is offered for sale,” the security company noted.

Hudson’s Bay Company, the Canadian retail business group that owns the three department store chains, has confirmed the breach.

“We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores. While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe,” they noted.

“There is no indication based on our investigation that Social Security or Social Insurance numbers, driver’s license numbers, or PINs have been affected by this issue.”

The company has assured affected customers that theywill not be liable for fraudulent charges that may result from this matter, and that they will be offered free identity protection services, including credit and web monitoring. They also encouraged them to keep an eye on their accounts so that they contact their card issuers immediately if they identify activity or transactions they do not recognize.

How did it happen?

It is yet unknown how the attackers managed to compromise the cash register systems at the stores, but the most likely explanation is phishing (i.e., tricking employees into installing the malware themselves).

“Targeted phishing has become the single most effective attack type in the world today with US businesses losing roughly $343,000 per hour due to phishing attacks according to the FBI,” says E.J. Whaley, Solutions Engineer at GreatHorn.

“We’re living in a world where everyone – including the C-Suite – can be induced to open malicious email. Therefore, it is important that businesses not rely on static indicators of threat but instead have technologies in place capable of dynamically analyzing email to automatically detect suspicious messages.”

Shape Security CTO Shuman Ghosemajumder says that while a breach of 5 million users’ data is much smaller than the breach of 150 million users’ data reported last week by Under Armour and MyFitnessPal, the sophistication of this attack initially seems greater, appearing to compromise point-of-sale systems as opposed to accessing a database of credential data.

“But, the Under Armour attack may be more damaging. When Under Armour reports that potentially tens of millions of users have had their usernames and passwords stolen, this has a much bigger long-term effect on users’ security on other online accounts, due to most people’s’ habits of reusing the same passwords,” he added.

Fred Kneip, CEO at CyberGRX, notes that this latest breach shows how the parent company bears the reputational impact of breaches at its subsidiaries just like a company does when its vendors are breached.

“Companies need to consider their divisions as part of their third-party ecosystems. This includes understanding the effectiveness of key controls such as security awareness training to mitigate phishing attacks, as well as vulnerability management of point-of-sale systems. This breach illustrates that both are weak links within third-party ecosystems that hackers will exploit,” he points out.