Department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor have suffered a data breach that apparently exposed details on 5 million payment cards for customers in North America, Toronto-based parent organization Hudson's Bay Company said on Sunday.
Details of the data breach were first announced Sunday by cybersecurity firm Gemini Advisory. "Based on the analysis of records that are currently available, it appears that all  Lord & Taylor and 83 U.S.-based Saks Fifth Avenue locations have been compromised," Gemini Advisory says in a breach alert.
The firm estimates that the breach began in May 2017 and has continued until the present.
Stolen card data first appeared for sale last Wednesday. "On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7, announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web," Gemini Advisory says. "Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue Off 5th - a discounted offset brand of luxury Saks Fifth Avenue stores - as well as Lord & Taylor stores."
Based on the trickle of card data that has so far been offered for sale - about 125,000 cards, or 2.5 percent of all the payment cards that were supposedly compromised - Gemini Advisory says the breach appears to predominantly affect New York and New Jersey residents.
HBC Confirms Data Breach
Hudson's Bay Company confirmed the breach on Sunday.
"We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America," Hudson says in an updated statement issued Monday. "We identified the issue, took steps to contain it,and believe it no longer poses a risk to customers shopping at our stores."
Hudson's Bay says it's working with third-party digital forensic investigators to respond to the data breach. "While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms, Hudson's Bay, Home Outfitters, or HBC Europe," the company says. "We deeply regret any inconvenience or concern this may cause."
The company has promised to launch a dedicated call center for breach victims on Wednesday and says it will offer identity theft monitoring to all breach victims. "HBC encourages customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize," it adds.
HBC added data breach alerts to the websites of Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor. All of the department stores' website homepages have a notice at the top - "important message for our customers regarding payment card security issue" - that hyperlinks to the data breach notifications.
Gemini Advisory says it appears that attackers gained complete access to the breached department stores' networks. "Based on the analysis of the available data, the entire network of  Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised," it says.
It's not clear how the data was stolen, but in payment card breaches, attackers typically push card-scraping malware onto point-of-sale terminals. In some cases, however, attackers instead install malicious code on the servers to which payment card data gets transferred (see Why POS Malware Still Works).
U.S.-based hotel chains, retailers and restaurants continue to suffer a payment card breach epidemic (see 166 Applebee's Restaurants Hit With Payment Card Malware).
To help battle fraud, many retailers have been upgrading their POS systems to be compatible with cards that carry chips compatible with the standard known as EMV - for Europay, MasterCard and Visa. Hudson's Bay tells The Wall Street Journal that it equipped with EMV-compatible systems all of its Saks Fifth Avenue and Saks Off 5th stores by the fall of 2016, and all Lord & Taylor stores by February 2017.
But EMV won't stop skimming malware installed onto POS terminals if consumers are allowed to swipe the cards - for reading track data - rather than "dipping" the cards so that card data is pulled from the cryptographic chip (see Fast-Food Chain Sonic Investigates Potential Card Breach). In addition, some security experts have suggested that even dipped card data could be stolen if card issuers haven't correctly implemented the EMV standard.
The choice of Saks Fifth Avenue and Lord & Taylor - two relatively upmarket department store chains - could have furnished attackers with a higher caliber of payment card data.
"There is so much to be gained by targeting the wealthy and the stores they frequent and so little to be lost as the long arm of U.S. law enforcement gets shorter each year," Chris Pierson, CEO of Binary Sun Cyber Risk Advisors, a cybersecurity consultancy, tells Information Security Media Group.
While only about 125,000 of the stolen payment cards have been offered for sale by JokerStash so far, "we expect the entire cache to become available in the following months," Gemini Advisory says.
Attackers typically trickle stolen cards onto the market. But after banks become alerted to a breach, the race is on for attackers to dump stolen card data before it becomes worthless (see Banks Reacting Faster to Card Breaches).
Carbanak Gang Strikes
JokerStash is also known as the Carbanak gang, which is also known as the Anunak or Cobalt gang, after strains of malware that the gang reportedly developed and deployed for use against individuals as well as for jackpotting - aka "cash out" - attacks against ATMs. The group had been tied to more than $1 billion in losses.
Police in Spain last week said they've arrested the group's alleged leader (see Spain Busts Alleged Kingpin Behind Prolific Malware).
Moscow-based cybersecurity firm Group-IB told Information Security Media Group that the gang's alleged chief developer was also recently arrested in Ukraine.
But authorities say two other core members of the Anunak gang remain at large and security experts suspect they'll likely continue the group's activities, as the batch of Saks and Lord & Taylor payment card data suggests they're now doing.
"We do not rule out the theory that the remaining members will continue to conduct operations for a period of time with the goal of showing that the individuals arrested were not associated with the group," Dmitry Volkov, Group-IB's CTO and head of its threat intelligence department, told ISMG.
Repeat JokerStash Syndicate Strike
The JokerStash syndicate has been tied to previous sales of payment card data stolen in previous breaches, including a breach at Dallas-based luxury hotel chain Omni Hotels & Resorts that began in late 2015 and was discovered in May 2016 (see Omni Hotels & Resorts Hit by Hacker).
At the time, cybercrime intelligence firm Flashpoint told Information Security Media Group that the breach came to light after JokerStash began selling more than 50,000 payment cards stolen from Omni Hotels. At the time, Flashpoint said JokerStash was selling the stolen Omni Resorts cards data via its own website, but advertising them for sale on two Russian-language communities called Verified and Omerta.