Personal data of Saks customers exposed, Bay admits
Saks Fifth Avenue is the latest retailer to report that customers’ personal information has been inadvertently exposed online.
In this case, it was email addresses and phone numbers of Saks shoppers that were visible on its retail website. The breach was first reported by BuzzFeed.
BuzzFeed said “tens of thousands of customers” were affected. Email addresses, phone numbers and product codes were visible “in plain text online,” BuzzFeed reported. The pages reviewed by BuzzFeed, an Internet-based media company, have since been taken off-line. The exposed data were visible only via a specific link on the Saks site, one where customers went to join a waitlist for certain products.
The company that own Saks and maintains its website, Canadian-based department store retailer Hudson’s Bay Co., acknowledged that some customer data were exposed. But it stressed it is moving quickly to resolve the situation and that key personal data, such as credit card numbers, were not exposed.
“We take this matter seriously,” Hudson’s Bay said in a prepared statement. “We want to reassure our customers that no credit, payment or password information was ever exposed. The security of our customers is of utmost priority, and we are moving quickly and aggressively to resolve the situation, which is limited to a low singledigit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller per cent.”
Tim Erlin, a vice-president at cybersecurity firm Tripwire, says it’s too early to say how severe the “disclosure of sensitive information” at Saks will turn out to be.
Consumers, though, should always be concerned when personal data is not properly safeguarded.
“The cardinal rule,” Erlin says, “is after an initial report of a breach of some kind, you will always learn more later.”
Cyber thieves, he says, can use email lists and phone numbers to inflict financial damage on unsuspecting victims, including identify theft.
“A collection of valid emails is in effect a target list for phishing campaigns,” Erlin says.
A phishing scam is when cyber thieves send out emails purported to be from reputable sources to induce potential victims to reveal personal data, such as credit card numbers, social security numbers and passwords. There’s also potential for hackers that get hold of email address to put malicious software, such as ransomware, on PCs, he adds.
The retail industry continues to battle hack attacks and inadvertent disclosures of personal information, as shoppers increasingly shift their purchases online and away from brick-and-mortar stores.
Hudson’s Bay was founded in 1670 and owns leading retail brands such as Lord & Taylor, Gilt and Saks. This past week, The New York Times reported that Hudson’s Bay was in talks to acquire high-end retailer Neiman Marcus.