If you don’t have a data breach response plan, you should develop one without delay.
Saks Fifth Avenue and Lord & Taylor are the latest retailers whose credit card data have been stolen from their system. Now their parent company is scrambling to convince consumers they are safe to shop as brick-and-mortar operations struggle to compete with online marketplaces.
A well-known ring of cybercriminals has obtained more than five million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity research firm that specializes in tracking stolen financial data. The data, the firm said, appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month.
Hudson’s Bay, which owns Saks Off Fifth and Lord & Taylor, released a statement:
We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores. While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe. We deeply regret any inconvenience or concern this may cause.
As the company investigates the breach, it has sought to notify customers immediately. On Sunday it posted a statement, along with an FAQ section, updating both on Monday.
We wanted to reach out to our customers quickly to assure them that they will not be liable for fraudulent charges that may result from this matter. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring. We encourage our customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize.
The statement goes on to answer questions such as whether Social Security numbers and other key personal data were compromised, as well as whether the risk is ongoing. The company is promising to investigate fully, to offer free credit monitoring and to release more information.
If the breach includes millions of cards, it would be the biggest so far this year, highlighting the continuing risk for companies securing sensitive data.
The New York Times continued:
The theft is one of the largest known breaches of a retailer and shows just how difficult it is to secure credit-card transaction systems despite the lessons learned from other large data breaches, including the theft of 40 million card numbers from Target in 2013 and 56 million card numbers from Home Depot in 2014. Last year, Equifax, a credit reporting firm, disclosed that sensitive financial information on 145.5 million Americans had been exposed in a breach of the company’s systems.
By announcing that it is investigating the situation, and promising updates as needed, Hudson’s Bay seeks to protect its reputation amid a scandal of still unknown proportions.
JokerStash, which sells stolen data on the criminal underground, on Wednesday said that it planned to release more than 5 million stolen credit cards, according to Gemini Chief Technology Officer Dmitry Chorine.
“It’s hard to assess at the moment, primarily because hackers have not released the entire cards in one batch,” he told Reuters.
Alex Holden, chief information security officer with cyber security firm Hold Security, confirmed that the 125,000 cards had been released by JokerStash but said it was too soon to estimate how many had been taken from Hudson’s Bay.
On Twitter, some tossed a bit of shade at the traditional retailer:
Wow. Saks Fifth Avenue and Lord & Taylor say 5 million customers Data was breached. I am shocked. I had no idea they still had that many customers.
— Claude Taylor (@TrueFactsStated) April 1, 2018
Others seemed confused about who was affected by the breach—only those customers with Saks credit cards, or anyone who had shopped at one of the stores.
— Shreduction (@shreduction) April 2, 2018
— Anna Meiler (@AnnaMeiler) April 2, 2018
Hudson’s Bay’s assertion that online sales have been unaffected might be adding to the confusion.
What would you have done differently, PR Daily readers?