More than 5M credit cards exposed in Saks, Lord & Taylor breach

April 1 (UPI) — Hackers stole information from millions of customers who used debit or credit cards at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores.

The Hudson’s Bay Company, which owns the retail store chains, confirmed the data breach involving customer payment card data in a statement on Sunday.

“We have identified the issue, and have taken steps to contain it. We will offer those impacted free identity protection services, including credit and web monitoring,” the company said. “Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Hudson’s Bay added there was “no indication” the breach affected its e-commerce or other digital platforms such as Hudson’s Bay, Home Outfitters, or HBC Europe, but encouraged customers to review their bank account statements and contact card issuers of any unauthorized charges.

Cybersecurity firm Gemini Advisory said in a blog post that it first identified the breach, describing it as “amongst the biggest and most damaging to ever hit retail companies,” affecting more than 5 million cards.

“On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web,” the firm said.

Gemini Advisory added analysis suggests the hackers were siphoning the information between May 2017 to present.

“Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised,” the firm said. “The majority of stolen credit cards were obtained from New York and New Jersey locations.”

The criminals have released approximately 125,000 credit and debit card records for sale but the firm expects the entire cache to become available in the following months.

The hackers were also responsible for previous data breaches affecting Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels, according to Gemini Advisory.