On April 1, HBC confirmed a report that hackers had breached payment systems in its Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores. As many as five million shoppers may have been affected by the breach, according to the Wall Street Journal report. HBC has not revealed how many accounts have been exposed, but noted in a statement that it “has identified the issue and has taken steps to contain it.”
While HBC didn’t reveal the specific data that may have been compromised, the retailer said there is no indication that Social Security or Social Insurance numbers, driver’s license numbers or PINs have been affected by the breach.
There is no indication at this time that the hack affects shoppers of the company’s e-Commerce sites or any Hudson’s Bay, Home Outfitters, or HBC Europe stores. Shoppers affected by the breach will not be liable for fraudulent charges, according to a company statement. HBC is working with law enforcement authorities and payment card companies as part of the investigation, and will offer those impacted free identity protection services, including credit and web monitoring.
EMV Didn’t Protect This Data
Hudson’s Bay said all Saks Fifth Avenue and Saks Off 5th stores had EMV systems installed by the fall of 2016, while Lord & Taylor stores were equipped with the system by February 2017. Yet even with the technology, the retailer still suffered from a significant security gap.
“The problem organizations have is the actual identification of a breach or infection, especially in a reasonable time frame,” said Terry Ray, CTO of Imperva, in commentary provided to Retail TouchPoints. “Most attacks are designed to run under the radar and the methods of breach constantly evolve. This requires that cybersecurity teams have effective funding, adequate staff and vast expertise. Sadly, none of those three are common. Usually, cybersecurity teams are underfunded, until a breach; then they get a little extra money. Their teams are generally small and stretched thin. Given all the areas than can be attacked, security team members need broad technology knowledge which makes them highly desirable in the marketplace, going back to the underfunded point.”
A hacking group called JokerStash Syndicate has been releasing stolen card data for sale on the “dark web,” a network of web sites used by hackers and others to anonymously share information, according to Gemini Advisory LLC, a New York-based cybersecurity firm. The hackers began stealing the card numbers in May 2017, the firm estimates. Approximately 125,000 records have been released for sale, although Gemini expects the entire cache to become available in the following months.
Based on the analysis of the available data, all 50 Lord & Taylor stores and 83 Saks Fifth Avenue locations have been compromised.
The breach comes as HBC struggles to improve its financial performance amid declines in sales and margins. In June, the retailer launched a transformation plan to cut costs and is working to monetize the value of its substantial real estate holdings.
The unveiling of the breach comes shortly after Under Armour revealed that cybercriminals compromised its MyFitnessPal mobile app, affecting approximately 150 million accounts.These recent breaches follow last year’s high-profile hack of credit bureau Equifax, which exposed the personal data of as many as 143 million Americans.