Hackers have apparently managed to compromise the cash register systems at Saks Fifth Avenue and Lord & Taylor stores in the United States and Canada, and have stolen payment card data of some five million customers, a cybersecurity research firm has revealed on Sunday.
Both stores are owned by Canada-based Hudson's Bay Company, which only confirmed the hack after cybersecurity firm Gemini Advisory released information on the breach in coordination with a number of affected financial institutions.
Customers will be notified if their information has been stolen, according to the company.
Toronto cyber security expert Daniel Tobok is applauding HBC for offering identity protection services but feels too often companies aren't doing enough to keep their customers' personal information safe.
The company said customers won't be liable for fraudulent charges.
It is yet unknown how the attackers managed to compromise the cash register systems at the stores, but the most likely explanation is phishing (i.e., tricking employees into installing the malware themselves). Gemini Advisory determined that the card numbers it analyzed had all been used at a Saks or Lord & Taylor since May 2017.
Hudson's Bay has not said how many stores or customers were affected.
Fin7 is the infamous organization for hacking renowned retailers like Whole Foods, Chipotle, Omni Hotels & Resorts, Trump Hotels, and others. Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised.
There was an advertisement stating that more than five-million credit and debit cards will be offered for sale, and that's when we made a decision to research this particular breach.
In January, the group struck Jason's Deli restaurants, when up to two million unique payment card numbers were stolen and put up for sale.
To date, around 35,000 records from Saks Fifth Avenue and 90,000 from Lord & Taylor are offered for sale.
For retailers using centralized databases to store customer information, the problems can be particularly plentiful.
A credit card transaction in process. Last week, for instance, Under Armour announced that 150 million accounts from MyFitnessPal were stolen in a data breach. Customers are advised to monitor their accounts, review their statements and get in touch with their card issuers if suspicious activity is detected.