Data from 5 million stolen credit and debit cards is coming up for sale, and a cybersecurity firm says the cards were used at retailers Saks Fifth Avenue, Lord & Taylor, and Saks’ off-price chain Saks Off Fifth.
Many details about the breach remain unknown, including the extent to which the retailers, which are subsidiaries of Toronto-based Hudson’s Bay Co., had rolled out EMV chip card technology that might have protected the card data.
The breach started last May and has continued to the present, New York City -based Gemini Advisory LLC said Sunday in a blog post disclosing the breach. Gemini said that on March 28, a “notorious” hacking syndicate that goes by the names of JokerStash and Fin7 announced on the dark Web that the card numbers were coming up for sale. Gemini said that, after working with several financial institutions, “we have confirmed with a high degree of confidence that the compromised records were stolen from customers of Saks Fifth Avenue and Lord & Taylor stores.”
Saks, Lord & Taylor, and Hudson’s Bay issued statements Sunday saying they were aware of the breach and were taking steps to contain it. On Monday, they issued updated statements saying “we identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores.”
Counting the off-price locations, Saks has 170 stores and Lord & Taylor 50. “Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised,” the Gemini post says. “The majority of stolen credit cards were obtained from New York and New Jersey locations.”
Only about 125,000 stolen numbers have been offered for sale so far, but Gemini says it expects the rest to be sold in the coming months.
The retailers gave no indication how the breach happened. Dmitry Chorine, Gemini’s co-founder and chief technology officer, tells Digital Transactions News that JokerStash/Fin7’s typical method is to send so-called spear-phishing emails to staff members in operations or logistics at targeted companies. If someone opens the email, malware will be installed on the company’s network that eventually can identify point-of-sale systems and terminals, then capture card data, he says.
The malware so far has been ineffective against the most recent iterations of EMV chip card payments in the U.S., according to Chorine. “We have not seen … a single breach where they have been able to harvest EMV information,” he says.
Hudson’s Bay had provisioned its stores with EMV terminals last year, according to Chorine, but it’s not known if all of them were actually live and processing chip card payments or were still reading cards’ more vulnerable magnetic stripes.
In response to a Digital Transactions News email asking about that issue, a Hudson’s Bay spokesperson replied with a copy of today’s statement and a frequently-asked-questions list, which did not address the question. The company did say that so far there is no evidence the breach affected Hudson Bay’s e-commerce platforms, Hudson’s Bay itself, its Home Outfitters stores, or HBC Europe.
Gemini said the JokerStash syndicate earlier successfully hacked Whole Foods, Chipotle, Omni Hotels & Resorts, and Trump Hotels.