Hackers steal up to 5mn customer card records from luxury retail chain in US, Canada

2 Apr, 2018 06:46 / Updated 6 years ago

In what has been described as one of the biggest card heists in history, a hacker group claims it obtained payment details relating to five million customers of Saks Fifth Avenue and Lord&Taylor stores, located mostly in the US.

The breach was first discovered by cybersecurity firm, Gemini Advisory, and was later confirmed by Hudson's Bay Company – one of Canada's largest retail groups with a specific focus on the luxury market. The company owns Saks Fifth Avenue, Saks Off 5th and Lord&Taylor stores, which were identified by Gemini as victims of the hack.

It said that it was "aware of the security issue" and has "taken steps to contain it." The breach has not affected its online stores, the company added

Neither social security numbers, driver's license numbers nor PINs were compromised in the heist, it said.

Notorious hacker group, JokerStash, has claimed responsibility for the hack it dubbed "BIGBADABOOM-2" on Wednesday, Gemini Advisory said in a blog post. The hackers, known for a long record of successful data heists targeting Whole Foods and Trump Hotels, among others, announced that it was placing five million stolen credit and debit card numbers for sale on the dark web.

So far, JokerStash has placed some 35,000 payment records on the illegal personal data market relating to Saks Fifth Avenue store, and 90,000 from Lord&Taylor. Gemini Advisory said hackers are likely to dump the stolen information in portions so as not to inundate the market and to protect their anonymity.

Gemini Advisory said the hackers appear to have first gained access to the data in May 2017, and the breach could still be underway. During this almost year-long operation, all 51 Lord&Taylor stores in the US were exposed to the hack, along with 83 Saks Fifth Avenue outlets in the US, and three in Canada's Ontario.

The majority of the cards compromised in the theft belong to the customers that shopped in New York and New Jersey, the cybersecurity firm said, calling the heist "among the biggest and most damaging to ever hit retail companies."

In January, the group struck Jason's Deli restaurants, when up to two million unique payment card numbers were stolen and put up for sale. 

However, Gemini Advisiory noted that the Hudson's Bay breach could be much more damaging, because it will be harder for banks to spot unusual transactions when it involves customers who routinely splash money on luxury goods.

"It will be extremely difficult to distinguish fraudulent transactions from those of a legitimate nature, allowing criminals to abuse stolen payment cards and remain undetected for a longer period of time," it said.

In another similarly large-scale data breach in 2013, some 40 million Target customers had their credit card details stolen. The hackers exploited a poorly secured point of sale (PoS) when stealing information from the magnetic strip on the back of the cards.

The investigation found that hackers had installed malware through credentials stolen from a third-party vendor. This led to a staggering $18.5 million being paid by Target to settle legal claims with 47 states in 2017, as well as the resignation of long-time Target CEO Gregg Steinhafel.