No fooling. A cybercriminal ring, known as known as Fin7 or JokerStash, snatched more than five million credit and debit card numbers from Saks Fifth Avenue and Lord & Taylor customers.
The Hudson's Bay Company, the Canadian firm that owns both retail chains, confirmed this past weekend a breach occurred.
Cybersecurity firm Gemini Advisory identified posted a blog with details of the breach, believed among the biggest and most damaging to ever hit retail companies. The data, the firm said, appears stolen using implanted software in the cash register systems that tapped card numbers until
The hacking group behind it put the obtained credit and debit card information, which the thieves identified as BIGBADABOOM-2, up for sale on the darknet last week according to Gemini. The same hackers coordinated the data breaches affecting Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels, Gemini Advisory said.
A preliminary analysis discovered the origination of the breach dates to May 2017, according to the post. The breach could affect more than 130 Saks and Lord & Taylor locations across the country, but most of stolen credit cards obtained apparently affected mainly New York and New Jersey locations.
“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America,” the company said in a statement. “We have identified the issue and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.” Hudson's Bay said that its investigation continued but that its e-commerce platforms appeared unaffected by the breach.
Mark Cline, a VP at Fort Lauderdale, Fla.-based Netsurion, a provider of managed security services for multi-location businesses, said. “This incident shows once again merchants still need to protect themselves against POS system infiltration attacks targeting cardholder data. A multi-layer security strategy is necessary. Retailers must start by segmenting their POS networks, using next-gen firewalls to block data exfiltration and implement constant monitoring and endpoint threat detection. If nothing else, dwell time of such an attack would be reduced to hours or days.” Cline added, “After all, the report is that this attack has persisted for almost a year, just as we have seen in previous massive card breaches.”
Other breaches recently revealed included as many as 880,000 customers of Orbitz, which may have compromised personal information; and the athletic wear company Under Armour, which disclosed the breaching of data tied to its fitness app affecting 150 million user accounts.
The acquisition of caches of personal and financial data becomes relevant in a cumulative way. Gene Fredriksen, chief information security strategist for St. Petersburg, Fla.-based CUSO PSCU, while responding to the misuse of Facebook data on some 50 million people, pointed out that people might assume the effects from a data theft limited to the breached company. “The truth is that the aggregate information from a series of breaches can build an extensive personal profile.” He added hackers could build a treasure trove for anyone wanting to steal identities, commit other kinds of fraud, or simply resell the bundled information to other criminals.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
