Russian hackers known as the JokerStash syndicate or Fin7 were selling on March 28 on the dark web payment card data stolen from over 5 million customers of department stores Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor in New York and New Jersey, writes The New York Times following an investigation carried out by Gemini Advisory.
At the time of research, only 125,000 records were for sale, but Gemini Advisory expects hackers will offer all data in the following months.
The Hudson’s Bay Company, the Canadian owner of the retail chains, confirmed the breach on Sunday, and assures customers that only in-store purchases were affected, due to a corruption of the cash registers.
“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America,” the Canadian corporation’s website reads. “We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”
According to Gemini Advisory, the estimated window of compromise is between May 2017 and the present, and “the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised.”
An investigation is ongoing, but chances are it will show that hackers sent phishing emails to employees asking them to either open a link or download an attachment, installing a backdoor in the company network. This would have allowed hackers to install manipulating software into the cash register systems and steal credit card numbers.
These are not the only chains hit by the hacker group, but this is the largest data breach that hit retail companies. Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels are also among the victims.
The Hudson’s Bay Company will reach out to their customers and offer identity-protection services. Customers are advised to monitor their accounts, review their statements and get in touch with their card issuers if suspicious activity is detected.