Russian-speaking hackers compromised systems at the luxury retail outlets in May 2017, and are now offering the data of millions on the dark web.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- The credit card data was stolen using software installed into the cash registers at Saks Fifth Avenue and Lord & Taylor stores across North America.
- The hack started in May 2017 but was only stopped last month, according to security analysts.
Hackers have put the credit card data of 125,000 people up for sale on the dark web and have the information of another 5 million people after infiltrating the systems of high-end retailers Saks Fifth Avenue and Lord & Taylor.
Both stores are owned by Canada-based Hudson's Bay Company, which only confirmed the hack after cybersecurity firm Gemini Advisory released information on the breach in coordination with a number of affected financial institutions. The Gemini Advisory report estimates that the breach first occurred in May 2017, but was only detected after the hackers announced details of their attack in March 2018.
On Wednesday, March 28, infamous hacking syndicate JokerStash, also known as Fin7, announced that it had information from 5 million credit and debit cards, which it was offering for sale on the dark web.
According to Gemini Advisory, the financial institutions involved have confirmed that the credit and debit card numbers are real and say most were stolen from stores in New York and New Jersey. The data was stolen through malware that was installed on cash registers and was still funneling card numbers to the hacking group until last month, the report said.
SEE: Shore up your defenses: Budget extra for an IT audit in 2018 (Tech Pro Research)
In a statement, Saks Fifth Avenue said they "took steps to contain" the hack and "believe it no longer poses a risk to customers shopping at our stores."
"Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring," Saks Fifth Avenue wrote in the statement, adding that their e-commerce sites had not been affected by the hack.
But Gemini said the hackers are openly offering about 35,000 card numbers for sale from Saks Fifth Avenue and about 90,000 from Lord & Taylor, with almost 5 million more they can continue to sell for years.
"The theft of five million payment cards is undoubtedly among the most significant credit card heists in modern history, and will negatively affect a large number of consumers in North America," Gemini Advisory wrote.
"Cardholders who frequently shop at luxury retail chains like Saks Fifth Avenue are more likely to purchase high-ticket items regularly; therefore, it will be extremely difficult to distinguish fraudulent transactions from those of a legitimate nature, allowing criminals to abuse stolen payment cards and remain undetected for a longer period of time," Gemini Advisory continued.
JokerStash is well known for its hacks of many stores and outlets, including Whole Foods, Chipotle, Omni Hotels & Resorts, and Trump Hotels, the report said.
The hack comes on the heels of other major security breaches at companies across the country in the last five years. Just last year, credit reporting company Equifax admitted that data—including social security numbers, addresses, tax ID numbers, and driver's license information—from 145.5 million Americans had been stolen. Additionally, 56 million card numbers were stolen from Home Depot in 2014 and 40 million from Target in 2013.
Sportswear company Under Armour admitted on Friday that hackers had broken into their system and stolen data from the MyFitnessPal fitness-tracking app, exposing information from 150 million users.
Gemini urged all brick-and-mortar stores to switch from magnetic stripe card machines to Europay Mastercard and Visa, or EMV, terminals, which are able to verify purchases through a microchip in the physical card itself.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- They've got your money and your data. Now hackers are coming to destroy your trust (ZDNet)
- Dark Web: The smart person's guide (TechRepublic)
- IoT security spending to reach $1.5 billion in 2018 (ZDNet)
- Companies still struggle to hire security pros; use in-house training to fill the gaps (TechRepublic)