Hackers breached the payment systems of Saks Fifth Avenue and Lord & Taylor, stealing the card information of millions of customers, company officials confirmed on April 1.
Hackers claim they have 5 million credit card and debit card numbers from Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor stores in North America. They may have been releasing the pilfered information for sale on black market websites since May 2017, according to the New York-based cybersecurity firm Gemini Advisory LLC.
Saks company officials said in a press release, “We are working rapidly with leading data security investigators to get our customers the information they need, and our investigation is ongoing. We also are coordinating with law enforcement authorities and the payment card companies.”
“We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores. While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters or HBC Europe.”
Saks officials said there is no indication that social security or social insurance numbers, driver’s license numbers or PINs have been affected by the exploited security gap.
Gemini Advisory said a JokerStash syndicate, also known as Fin7, announced on March 28 that more than 5 million stolen payment cards were being offered for sale on the dark web, which is used by hackers and others to anonymously trade and sell stolen information. As of April 1, about 125,000 records have been released for sale, but it is expected that all stolen payment information will be available on the dark web in the coming months. JokerStash has had other successful high-profile breaches, including Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels.
Saks said customers will not be liable for fraudulent charges that may result from the breach, and encouraged consumers to review their account statements and contact their card issuers immediately if they find activity or transactions they do not recognize.