Payment Information Data Breach at Saks, Lord & Taylor: 5 Million Users Compromised?

Yesterday, the Toronto-based retail conglomerate Hudson Bay Company announced it had suffered a cybersecurity data breach of the payment information used at its subsidiary retailers Saks Fifth Avenue and Lord & Taylor. According to reports, the breach began in May 2017. As many as 5 million users’ credit cards may be compromised, and the breach may still be ongoing as of time of writing. Both assertions have yet to be definitively confirmed.

The announcement comes after Gemini Advisory, a cybersecurity firm, reported discovering the data breach on its blog. They identified JokerStash, a cyber-crime group, as the culprits. JokerStash is best known for being behind the hacks on Chipotle and Whole Foods. The group has already released about 93,000 credit cards allegedly stolen from Hudson Bay stores, as well as about 30,000 unrelated credit cards. JokerStash is threatening to sell 5 million stolen credit cards on the Dark Web black market on Wednesday. It is too early to tell if these are the same stolen payment cards from Saks and Lord & Taylor.

Hudson Bay officially said it is taking steps to contain the data breach, but did not confirm how the breach commenced or the exact number of cards taken. A company spokesperson only stated: “Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Hudson Bay is already struggling with declining sales and other cybersecurity headaches. In March of 2017, Buzzfeed News reported that Saks Fifth Avenue had been storing customer data in plaintext on its servers—an incredibly reckless data storage practice. If the millions of payment card data were indeed stolen from Hudson Bay stores, it would be the biggest hack on such information in this past year. The company did say customers would not be liable for fraudulent charges stemming from the breach.