Major retailers have grabbed the lion’s share of data breach headlines in the first half of 2018. Macy’s, Adidas, Saks Fifth Avenue, Lord & Taylor, Kmart, Sears and Under Armour all suffered breaches in which the personal data of their customers was hacked or exposed.
Here’s a look at notable security breaches thus far:
MACY’S – JULY 9
Macy’s has sent letters to customers warning them that a cyber threat targeted customers’ online account information for nearly two months.
On June 11, Macy’s cyber threat alert tools uncovered the attack on macys.com and bloomingdales.com customer accounts and blocked the compromised profiles. Hackers were able to access customers’ names, addresses, phone numbers, email addresses, birthdays, and credit or debit card numbers with expiration dates.
Macy’s officials said the suspicious activity took place from April 26 to June 12. A third party obtained valid usernames and passwords through websites not related to macys.com or bloomingdales.com and used them to gain access to customers’ accounts.
The pilfered information did not include social security numbers or the CVV security numbers that appear on the backs of credit cards, officials said.
ADIDAS – JUNE 26
Adidas alerted “a few million” customers who made purchases on its U.S. website about a potential data breach where hackers were suspected of accessing their personal information.
The athletic apparel company became aware of a “potential data security incident” on June 26 by “an unauthorized party [who] claims to have acquired limited data associated with certain Adidas consumers.” Company officials are taking steps to gauge the scope of the breach by working with data security firms and law enforcement.
The data includes contact information, usernames and encrypted passwords.
“Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted,” the Germany-based company said.
KMART, SEARS and BEST BUY – APRIL 4
Hundreds of thousands of online shoppers of Kmart, Sears and Best Buy may have had their personal information stolen in a security breach of [24]7.ai, a provider of customer service chat software.
The business process outsourcing company informed the affected companies in mid-March that it had discovered a hack that potentially affected online customer payment information of a small number of its clients, even if they did not use the chat feature.
In addition to stolen credit card information, hackers may have accessed names and other important personally identifiable information.
In an April 4 press release, [24]7.ai said, “The incident began on Sept. 26, and was discovered and contained on Oct. 12, 2017. We have notified law enforcement and are cooperating fully to ensure the protection of our clients and their customers’ online safety. We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed.”
Sears and Best Buy announced that their data had been affected in the hack.
On its website, Best Buy informed customers, “[24]7.ai has indicated that customer payment information may have been compromised during that time and, if that were the case, then a number of Best Buy customers would have had their payment information compromised, as well.”
The electronics retailer said they have notified law enforcement and in working with [24]7.ai, determined that a small fraction of their overall online customer population could have been affected, whether or not they used the chat function.
Sears Holdings, which includes Sears and Kmart, said in a statement on their website that they “believe this incident involved unauthorized access to less than 100,000 of our customers’ credit card information.”
“We immediately notified the credit card companies to prevent potential fraud, and launched a thorough investigation with federal law enforcement authorities, our banking partners, and IT security firms,” a Sears official said. “Customers using a Sears-branded credit card were not impacted. In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible. [24]7.ai has assured us that their systems are now secure.”
SAKS FIFTH AVENUE AND LORD & TAYLOR – APRIL 1
Saks Fifth Avenue and Lord & Taylor confirmed on April 1 that hackers had breached their payment systems, stealing the card information of more than 5 million customers. Saks company officials said in a press release, “We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores. While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters or HBC Europe.”
Hackers claim they have credit card and debit card numbers from Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor stores in North America. They may have been releasing the pilfered information for sale on black market websites since May 2017, according to the New York-based cybersecurity firm Gemini Advisory LLC.
Gemini Advisory said a JokerStash syndicate, also known as Fin7, announced on March 28 that more than 5 million stolen payment cards were being offered for sale on the dark web, which is used by hackers and others to anonymously trade and sell stolen information. As of April 1, about 125,000 records have been released for sale, but it is expected that all stolen payment information will be available on the dark web in the coming months. JokerStash has had other successful high-profile breaches, including Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels.
Saks officials stated that based on their investigation, there is no indication that social security or social insurance numbers, driver’s license numbers or PINs have been affected by the exploited security gap. Officials said customers will not be liable for fraudulent charges that may result from the breach, and encouraged consumers to review their account statements and contact their card issuers immediately if they find activity or transactions they do not recognize.
UNDER ARMOUR – MARCH 29
In late March, Under Armour notified about 150 million users that their personal information was stolen in a February 2018 security breach of its MyFitnessPal app, its food and nutrition application. Personal data such as email addresses, usernames and passwords were exposed, but credit-card information and driver’s license numbers weren’t compromised, according to the company.
Officials said the MyFitnessPal team discovered the data security issue on March 25 when they found that an “unauthorized party acquired data associated with MyFitnessPal user accounts.” MyFitnessPal is an app that assists in the tracking of diet and exercise routines.
Under Armour, the Baltimore-based athletic and fitness apparel company, said their “investigation indicates that the affected information included usernames, email addresses, and hashed passwords – the majority with the hashing function called bcrypt used to secure passwords.”
“The affected data did not include government-issued identifiers (such as social security numbers and driver’s license numbers), which the company does not collect from users,” officials said. “Payment card data was also not affected because it is collected and processed separately.”
The company took steps to alert MyFitnessPal users by notifying them through email and in-app messaging. The notice contains recommendations for users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.
The company’s investigation indicates that approximately 150 million user accounts were affected by the breach.
