According to the Daily Mail, we spend 153 days searching for misplaced items. But in the digital age, you don’t even have to leave your wallet somewhere to have your money stolen from you. Your cards can safely be in your possession all while clever criminals are helping themselves to your bank account. And unfortunately for 5 million customers of Saks Fifth Avenue and Lord and Taylor, that’s now their harsh reality.
The words for “silver” and “money” are the same in at least 14 different languages, but regardless of whether you refer to it as dough, bucks, or bread, this breach means big trouble for these retailers. According to cybersecurity research firm Gemini Advisory, a well-known cybercriminal ring obtained the credit and debit card numbers of millions of shoppers using cash register system software that was siphoning card info up until last month.
The firm noted that a group of Russian-speaking hackers known as JokerStash or Fin7 had recently posted online that they had obtained a cache of 5 million stolen card numbers, 125,000 of which they offered up for immediate sale. Although the group did not disclose where they had gotten the numbers, an analysis determined that the cards had all been used at approximately 130 Saks and Lord and Taylor stores all across the country (but mostly in New York and New Jersey) from May 2017 to March 2018. Gemini Advisory says the malware used by the hackers was likely installed via phishing emails sent to corporate employees. The cybersecurity firm maintains that the same hacking group was behind breaches that impacted Chipotle, Whole Foods, Trump Hotels, and other organizations.
A statement from Hudson’s Bay Company, the corporation that owns both chains, explained: We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord and Taylor stores in North America. We have identified the issue and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”
If the information from Gemini Advisory is accurate, this breach would be the largest of its kind so far this year. Although online shopping is often thought of as being less secure, Hudson’s Bay said that its e-commerce platforms appeared to be unaffected by the breach. That’s fortunate news for consumers who like to buy online — and there are a lot of them, seeing as U.S. e-commerce revenue is currently at about $423.3 billion and climbing.
The company failed to disclose which stores or exactly how many customer accounts were affected by the breach, but they did say that customers would not be held liable for any fraudulent charges that occurred as a result. They also maintain that the breach does not impact customers currently shopping at its stores, nor did the breach contain contact info, Social Security numbers, driver’s license numbers, or debit card PINs. Evidently, Saks Fifth Avenue’s own credit cards weren’t compromised either, and nor were customers who shopped at Home Outfitters or HBC Europe.
Unfortunately, this story is a painful reminder that not even America’s biggest companies are immune to cybercrime. In fact, a recent Global Cybersecurity Status Report found that only 38% of global organizations claimed they were prepared to handle a cyberattack. Despite how many incidents of this nature have occurred in recent months, it seems retailers need to be doing a lot more to protect their customers. Until then, you may have to shop at your own risk — and keep an eye on your bank account and credit card statement.