A well-known ring of cybercriminals has obtained more than 5 million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity research firm that specializes in tracking stolen financial data. The data, the firm said, appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month.
Hudson's Bay Co., the Canadian corporation that owns both retail chains, confirmed Sunday that a breach had occurred.
"We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America," the company said in a statement. "We have identified the issue and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."
Hudson's Bay said that its investigation was continuing but that its e-commerce platforms appeared to have been unaffected by the breach. The company declined to identify how many customer accounts or stores were affected.
The theft is one of the largest known breaches of a retailer and shows just how difficult it is to secure credit-card transaction systems despite the lessons learned from other large data breaches, including the theft of 40 million card numbers from Target in 2013 and 56 million card numbers from Home Depot in 2014.
Last year, Equifax, a credit reporting firm, disclosed that sensitive financial information on 145.5 million Americans had been exposed in a breach of the company's systems.
The research firm that identified the Saks breach, Gemini Advisory, said Sunday that a group of Russian-speaking hackers known as Fin7 or JokerStash posted online Wednesday that it had obtained a cache of 5 million stolen card numbers, which the thieves called BIGBADABOOM-2. The hackers, who have also hit other retail chains, offered 125,000 of the records for immediate sale.
Fin7 did not disclose where the numbers had been obtained. But the researchers, working in conjunction with banks, analyzed a sample of the records and determined that the card numbers all seemed to have been used at Saks and Lord & Taylor stores, mostly in New York and New Jersey, from May 2017 to March 2018.
Although it's unclear exactly how the malware was installed in the stores' checkout systems, Gemini said it was most likely through phishing e-mails sent to Hudson's Bay employees.
In a phishing attack, hackers send seemingly legitimate e-mails to a company's employees that encourage them to click on a link or attached file that secretly installs software on their computers, giving the attackers a back door into the systems.
The breach comes at a difficult time for Saks and Lord & Taylor, and retailers more generally.
Online shopping has cut deeply into the traditional brick-and-mortar retail industry, and department stores have been particularly slow to adapt to the new ways that people shop.
Chains that cater to a spectrum of income levels and affluence have seen their sales dwindle. The once-mighty Macy's has closed stores and laid off thousands of employees. Neiman Marcus, a high-end brand, was at one point mulling a merger with Hudson's Bay.
And last year, Lord & Taylor, a jewel of luxury shopping in Hudson Bay's portfolio, sold its 676,000-square-foot flagship Manhattan location, the latest retail titan to acknowledge that much of its value now comes simply from the physical buildings where shoppers once flocked.
As digital forces reshape the retail industry, Hudson's Bay executives have watched the company's stock plummet in recent years. Comparable store sales — one important measure of performance — dropped 2.6 percent in its department stores group in the most recent quarter.
Hudson's Bay said customers can get further information on the websites of Saks Fifth Avenue, Saks Off 5th and Lord & Taylor.