Hudson’s Bay has become the victim of one of the largest data breaches to hit a retailer, with cybercriminals stealing up to five million payment cards issued to customers of its Saks Fifth Avenue and Lord & Taylor stores.
The Toronto-based company disclosed Monday that it had become aware of “a data security issue involving customer payment card data” at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores stores in North America.
Hudson’s Bay did not say when the breach had begun or how many payment card numbers were taken. But cyber security firm Gemini Advisory said a well-known criminal group called JokerStash had last week offered more than five million stolen payment cards for sale on the dark web.
“In cooperation with several financial organizations, we have confirmed with a high degree of confidence that the compromised records were stolen from customers of Saks Fifth Avenue and Lord & Taylor stores,” Gemini said in a report.
The firm also reported that the hackers began siphoning data in May 2017 and the majority of stolen credit cards were obtained from New York and New Jersey locations.
Gemini Chief Technology Officer Dmitry Chorine told Reuters that the hackers had so far released about 125,000 payment cards, about 75 percent of which appear to have been taken from the Hudson’s Bay units.
In other notable retail attacks, cybercriminals stole some 40 million payment cards in a 2013 hack on Target and 56 million from Home Depot in 2014. The JokerStash group has also been responsible for high-profile breaches of companies including Whole Foods, Chipotle, Omni Hotels & Resorts, and Trump Hotels.
The Hudson’s Bay breach “once again emphasizes the importance of a transition to the more secure EMV POS terminals in retail operations,” Gemini said. “Although many large retailers managed to migrate entirely from older generation magstripe terminals to EMV in 2017, several nationwide chains still have not done so.”
On news of the hack, Hudson’s Bay shares were down 1.3% at $8.80 in trading Monday. Last week, the company reported fourth-quarter earnings that missed analysts’ estimates amid declining same-store sales.