[BreachExchange] Saks, Lord & Taylor Hit With Data Breach

[Inga Goddijn]

https://www.wsj.com/articles/saks-lord-taylor-hit-with-data-breach-1522598460

Hackers breached the payment systems of Saks Fifth Avenue and Lord & Taylor
department stores and stole credit card information for millions of
shoppers, the latest in a series of intrusions that have exposed security
gaps in corporate networks.

Hackers claim they have five million credit card and debit card numbers
from the stores and have been releasing them for sale on the “dark web,” a
network of websites used by hackers and others to anonymously share
information, according to Gemini Advisory LLC, a New York-based
cybersecurity firm
<https://geminiadvisory.io/fin7-syndicate-hacks-saks-fifth-avenue-and-lord-taylor>.
The hackers began stealing the card numbers in May 2017, the firm estimates.

A spokesman for Hudson’s Bay <http://quotes.wsj.com/CA/XTSE/HBC> Co. HBC
3.60%  <http://quotes.wsj.com/CA/XTSE/HBC?mod=chiclets>of Canada, which
owns the two chains, confirmed a security breach involving customer payment
card data at its Saks Fifth Avenue, Saks Off 5th and Lord & Taylor chains
in North America.

He said an investigation is ongoing and didn’t say how many accounts were
exposed. At this point, the company doesn’t believe Social Security or
driver’s license numbers have been compromised and said it would notify any
affected customers once it has completed its investigation.

“We have identified the issue, and have taken steps to contain it,” the
spokesman said, adding that the company is coordinating with law
enforcement. Customers will be offered free identity protection services,
including credit monitoring, and won’t be liable for fraudulent charges, he
said.

The retailer said there was no indication at this time that the breach
affected its e-commerce operations, or other store brands it owns,
including the Hudson’s Bay department-store chain in Canada or Galeria
Kaufhof in Germany.

So far, 125,000 cards that had been used at Saks or Lord & Taylor have been
released for sale by the hackers, according to Gemini Advisory. Some were
cards that were used by card owners as recently as last month in one of the
affected stores, according to Dmitry Chorine, Gemini Advisory’s chief
technology officer.

The group behind the hack is known as JokerStash Syndicate or Fin 7. It
appears to have penetrated the retailers’ point of sale systems, Mr.
Chorine said.

After previous breaches the JokerStash group has released credit-card data
in smaller batches, to avoid flooding the market for illegally obtained
payment credentials, Mr. Chorine said.

The incident is the latest in a string of hacks that have compromised
consumer data. Nearly 148 million U.S. consumers had personal information
stolen, including parts of their driver’s license, as part of a breach last
year at Equifax Inc.
<https://www.wsj.com/articles/weve-been-breached-inside-the-equifax-hack-1505693318>,
a credit-rating firm. In 2013, more than 40 million people had their name,
address or phone number taken in a Target <http://quotes.wsj.com/TGT>Corp.
breach.

On Friday, Under Armour <http://quotes.wsj.com/UAA> Inc. disclosed that
someone illegally accessed data from its MyFitnessPal fitness-tracking app
in late February, affecting some 150 million users
<https://www.wsj.com/articles/under-armour-discloses-breach-affecting-150-million-myfitnesspal-app-users-1522362412>.
Personal data such as emails, usernames and passwords were exposed, but
credit-card information and driver’s license numbers weren’t compromised,
the athletic-wear company said. Under Armour said it has enlisted
data-security firms and law enforcement to investigate the scope of the
breach.

JokerStash has been linked to a series of breaches, dating back years,
including
break-ins at Whole Foods
<https://www.wsj.com/articles/whole-foods-data-breach-affected-about-100-taprooms-restaurants-1508526726>
 Market, Chipotle Mexican Grill <http://quotes.wsj.com/CMG> Inc., Omni
Hotels & Resorts
<https://www.wsj.com/articles/omni-hotels-warns-of-data-breach-1468010853> and
Trump Hotels, according to Gemini Advisory.

To make their systems more secure, retailers have been switching to a new
form of payment called EMV, for Europay Mastercard and Visa, which uses a
computer chip in the card to authenticate transactions.

Hudson’s Bay said all Saks Fifth Avenue and Saks Off 5th stores had EMV
systems installed by the fall of 2016, while Lord & Taylor stores were
equipped with the system by February 2017.

The breach is the latest challenge for Hudson’s Bay, which acquired Lord &
Taylor in 2012 and Saks in 2013. Like other department store operators, it
has been struggling with slowing or declining sales as shoppers buy more
online, shift their preferences to specialty stores and spend more of their
budgets on travel and entertainment.

In addition, Hudson’s Bay has had to contend with an activist investor and
a recent CEO switch. In February, the company hired CVS Health Inc.
executive Helena Foulkes as chief executive
<https://www.wsj.com/articles/saks-owner-to-hire-cvs-veteran-as-next-ceo-1517849378>,
filling a position that was vacated last fall.

Last week, the company reported mixed results for its latest quarter, with
same-store sales rising at Saks but falling at its department-store group
and off-price division. Ms. Foulkes told analysts that “everything is on
the table” when it comes to fixing the business. “There are no sacred
cows,” she said on a conference call.

For the 12 months ended Feb. 3, the company reported a loss of 581 million
Canadian dollars ($450 million) and total sales that were little changed at
C$14.4 billion.

Activist shareholder Land & Buildings Investment Management LLC has been
urging the company to sell divisions and make better use of its real
estate, including its flagship Saks Fifth Avenue store in Manhattan. In
January, it sent a letter to Hudson’s Bay’s shareholders saying the company
should consider going private.

Last year, Hudson’s Bay agreed to sell its Lord & Taylor flagship store in
Manhattan for $850 million to a group that includes WeWork Cos, the
office-sharing startup. The company has been slimming down its workforce,
as part of an effort to save $350 million annually.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180401/baa41fbe/attachment.html>