Big data shoplift
Hackers hit Saks and Lord & Taylor records
Hackers have stolen the records of up to 5 million credit and debit cards, including at certain New York and New Jersey Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores, a cybersecurity firm said Sunday.
Hudson’s Bay Co., parent of the department stores, is investigating the situation, it said.
“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the company said in a statement shortly after the cybersecurity company, Gemini Advisory, made news of the hack public.
“We encourage our customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize,” the retailer said.
Hudson’s Bay is examining whether the problem included those using company and non-company-issued credit cards.
There is no indication the breach affected online customers, it said.
For Hudson’s Bay, this is the second embarrassing breach in about a year.
Last March, tens of thousands of Saks’ customers’ addresses and phone numbers were inadvertently put on the retailer’s Web site.
At the time Hudson’s Bay said, “The security of our customers is of utmost priority.”
Gemini Advisory alleges the thief this time is known as Joker-Stash or Fin7. The hackers sent phishing e-mails to company employees.
If the recipient clicked on the attachment, which is meant to appear as an invoice, the hackers infected the system, according to the Associated Press.
Hudson’s Bay told The Post its information security program is a mix of in- dustry-leading, third-party security services and global, in-house staff support.
Last June, Hudson’s Bay announced it laid off 2,000 workers in an effort to cut costs. It is unclear if any were in information security.
“Security is always the first thing to get cut,” said Harry Houck, the former head of fraud investigations at Citigroup, making it clear he did not know if this was the case at Hudson’s Bay.
Credit card users who believe they were hacked should demand from their bank a new credit card and PIN number or cancel their cards, Houck said.
Those who buy hacked cards sometimes do not use the stolen information for several years, Houck said.
“People get hit in these attacks three years later who didn’t cancel their cards,” Houck said.
Restoring customer confidence will be a test for new Hudson’s Bay Chief Executive Helena Foulkes, former president of CVS Pharmacy, who only took the helm Feb. 19.
The Toronto company’s shares have fallen from C$10.71 a year ago to C$8.92 on Friday.