Huge High-End Hack Hoists 5 Million Cards from Saks, Lord & Taylor Customers

It’s currently one of the biggest retail hacks in history and it’s not over. Since May 2017, JokerStash online crime syndicate has been lifting credit and debit card data from Saks Fifth Avenue and Lord & Taylor customers. Since the hacks discovery just days ago, over 5 million customers have been affected and the numbers are sure to increase. Databases of 83 Saks stores and the entire network of Lord & Taylor were compromised. The heist was limited to customers shopping in the brick and mortar stores mainly in New York and New Jersey. According to current information, online shoppers at the high-end retail stores were spared, but it’s a fluid investigation subject to change.

JokerStash is a well-known hacking outfit responsible for hacks on other retail outfits like Whole Foods, Omni Hotels, and Chipotle. According to reports, since May 2017, there have been 125,000 cards discovered for sale on the Dark Web. Many believe this hack by JokerStash has been able to avoid detection until now by keeping the flow of cards to the Dark Net on a relatively small scale. The slow drip of data enabled the hack to maximize sale potential and remain under the radar of those of bank investigators looking to detect the source of a breach. It’s believed the following months will find more and more customer data being sold.

In the meantime, anyone who shopped at the stores over the past year should pay close attention to payment card charges. If anything looks even remotely suspicious, report it to the card issuer immediately. Watch those statements at least for 12 months or until the card expires or a new one is issued to you. And even then, don’t stop watching for suspicious charges on any of your cards. Breaches can happen at any time, and as this and many other incidents show, sometimes it’s a very long time before the company even knows there is or was an intruder stealing information.

Also remember to use the credit option when paying at point-of-sale (POS) systems, if you have an option. This is less risky, as hackers cannot recreate the card, use your PIN that you entered into the POS, and drain your account of cash.

Parent company of both retail chains, Canada's Hudson's Bay Company (HBC), is speaking out, saying its “taken steps to contain the hacks.” HBC says when there is “more clarity around the facts” customers will receive free credit monitoring and other identity protection. If they do, be sure to take advantage. While it won’t prevent charges to your accounts, keep new accounts from being open in your name, or prevent identity theft, these companies will alert you if someone is requesting your credit report and you can react more quickly.

For now, the investigation continues into how this happened and how it remained undetected for 11 months. In March of 2017, it was publicly disclosed that Saks was storing its customer data in plain text on its server. The data didn’t include customer payment information, but it showed an alarming lack of cyber security for the retail giant. The following days should shed more light on the hack.

Stickley on Security
Published April 18, 2018