Coverage: Saks Fifth Avenue, Lord & Taylor face breach

A data breach at department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor has compromised the personal information of customers who shopped at the stores.

Matt O’Brien of the Associated Press had the news:

The chains’ parent company, Canada-based Hudson’s Bay Co., announced the breach of its store payment systems on Sunday. The company said it was investigating and taking steps to contain the attack.

The disclosure came after New York-based security firm Gemini Advisory LLC revealed on Sunday that a hacking group known as JokerStash or Fin7 began boasting on dark websites last week that it was putting up for sale up to 5 million stolen credit and debit cards. The hackers named their stash BIGBADABOOM-2. While the extent of its holdings remains unclear, about 125,000 records were immediately released for sale.

The security firm confirmed with several banks that many of the compromised records came from Saks and Lord & Taylor customers.

Hudson’s Bay said in a statement that it “deeply regrets any inconvenience or concern this may cause,” but it hasn’t said how many Saks or Lord & Taylor stores or customers were affected. The company said there’s no indication that the breach affected its online shopping websites or other brands, including the Home Outfitters chain or Hudson’s Bay stores in Canada.

Jennifer Calfas of Fortune reported that it all U.S. locations were compromised:

All of the U.S. locations of the retail chains have been compromised, the company said, with the majority of stolen credit card information coming from stores in New York and New Jersey.

Hudson’s Bay Company, which owns both retail chains, released a statement Sunday about the data breach, noting that it does not impact shoppers who bought items on digital platforms.

“We wanted to reach out to our customers quickly to assure them that they will not be liable for fraudulent charges that may result from this matter,” the company said. “We have identified the issue, and have taken steps to contain it.”

Hudson’s Bay Company said it will notify customers as it gets more information. It also advised them to review their credit and debit card accounts to monitor for unusual transactions or activity. The company did not say how many stores or customers were compromised.

Jackie Wattles of CNNMoney.com reported that the card were used for in-store purchases:

The company added that the cards were used for in-store purchases, and there is “no indication” online purchases were affected. Hudson’s Bay said it’s cooperating with law enforcement in an ongoing investigation.

A cybersecurity firm called Gemini Advisory identified the breach and posted a blog post detailing its scope. The “attack is amongst the biggest and most damaging to ever hit retail companies,” according to the firm.

Gemini Advisory said a hacking syndicate put credit and debit card information it obtained from the hack up for sale on the dark web last week.

A “preliminary analysis” found credit card data was obtained for sales dating back to May 2017, according to the post. The breach likely impacted more than 130 Saks and Lord & Taylor locations across the country, but the “majority of stolen credit cards were obtained from New York and New Jersey locations.”