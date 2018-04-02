Subscribe Place Ad Buy Trib Photos Sportstalk Contests
Jobs Homes Autos Classifieds
Trib Total Media Contact Us
ShareThis Page
Technology

Data breach hits Saks Fifth Avenue, Lord & Taylor stores

The Associated Press | Monday, April 2, 2018, 5:12 a.m.
In this July 29, 2013, file photo, a shopper uses a Fifth Avenue entrance to Saks, in New York. A data breach at department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor has compromised the personal information of customers who shopped at the stores. The chains' parent company, Canada-based Hudson's Bay Co., announced the breach of its store payment systems on Sunday, April 1, 2018.
AP | Richard Drew
In this July 29, 2013, file photo, a shopper uses a Fifth Avenue entrance to Saks, in New York. A data breach at department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor has compromised the personal information of customers who shopped at the stores. The chains' parent company, Canada-based Hudson's Bay Co., announced the breach of its store payment systems on Sunday, April 1, 2018.
In this Oct. 25, 2017 file photo, a shopper walks into a Lord & Taylor department store at Garden State Plaza in Paramus, N.J. A data breach at department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor has compromised the personal information of customers who shopped at the stores. The chains' parent company, Canada-based Hudson's Bay Co., announced the breach of its store payment systems on Sunday, April 1, 2018.
AP | Julio Cortez
In this Oct. 25, 2017 file photo, a shopper walks into a Lord & Taylor department store at Garden State Plaza in Paramus, N.J. A data breach at department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor has compromised the personal information of customers who shopped at the stores. The chains' parent company, Canada-based Hudson's Bay Co., announced the breach of its store payment systems on Sunday, April 1, 2018.

Updated 3 hours ago

A data breach at department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor has compromised the personal information of customers who shopped at the stores.

The chains' parent company, Canada-based Hudson's Bay Co., announced the breach of its store payment systems on Sunday. The company said it was investigating and taking steps to contain the attack.

The disclosure came after New York-based security firm Gemini Advisory LLC revealed on Sunday that a hacking group known as JokerStash or Fin7 began boasting on dark websites last week that it was putting up for sale up to 5 million stolen credit and debit cards. The hackers named their stash BIGBADABOOM-2. While the extent of its holdings remains unclear, about 125,000 records were immediately released for sale.

The security firm confirmed with several banks that many of the compromised records came from Saks and Lord & Taylor customers.

Hudson's Bay said in a statement that it “deeply regrets any inconvenience or concern this may cause,” but it hasn't said how many Saks or Lord & Taylor stores or customers were affected. The company said there's no indication that the breach affected its online shopping websites or other brands, including the Home Outfitters chain or Hudson's Bay stores in Canada.

The company said customers won't be liable for fraudulent charges. It plans to offer free credit monitoring and other identity protection services.

There is evidence that the breach began about a year ago, said Dmitry Chorine, Gemini Advisory's co-founder and chief technology officer. He said the prolific hacking group has previously targeted major hotel and restaurant chains.

The breach follows last year's high-profile hack of credit bureau Equifax that exposed the personal data of millions of Americans. This newest breach, however, more closely resembles past retail breaches that have targeted the point-of-sale systems used by companies from Home Depot to Target and Neiman Marcus.

Chorine said the hackers' typical method is to send cleverly crafted phishing emails to company employees, especially managers, supervisors and other key decision-makers. Once an employee clicks on an attachment, which is often made to look like an invoice, the system gets infected.

“For an entire year, criminals were able to sit on the network of Lord & Taylor and Saks and steal data,” he said.

Chorine said most of the stolen credit cards appear to have been obtained from stores in the New York City metropolitan area and other Northeast U.S. states. It's possible, he said, that those stores hadn't yet adopted the more secure credit card payment systems that have been rolled out elsewhere.

Hudson's Bay is advising customers who want more information about the breach to visit security-response websites it's created for Saks Fifth Avenue , Saks Off Fifth , and Lord & Taylor .

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.

click me