Saks 5th Avenue and Lord and Taylor: Department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor have suffered a data breach that apparently exposed details on 5 million payment cards. Cybersecurity firm Gemini Advisory says the JokerStash syndicate – aka Carbanak gang – is selling the stolen card data.
Details of the breach were first announced on Sunday and based on the analysis of the records that are currently available, it appears that all 51 Lord and Taylor and all 83 US Based Saks 5th Avenue locations have been compromised. Apparently the breach began in May of 2017.
Stolen card data first appeared for sale last Wednesday. On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7, announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web.
Hudson’s Bay, the parent company of both retailers, says it’s working with third-party digital forensic investigators to respond to the data breach. “While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe,” the company says. “We deeply regret any inconvenience or concern this may cause.”
The company has promised to launch a dedicated call center for breach victims on Wednesday and says it will offer identity theft monitoring to all breach victims. “HBC encourages customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize,” it adds.
HBC added data breach alerts to the websites of Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor. All of the department stores’ website homepages have a notice at the top – “important message for our customers regarding payment card security issue” – that hyperlinks to the data breach notifications.
The breach is not among the largest in history—hackers have stolen data on hundreds of millions of cards from businesses as varied as credit-card processors to 7-Eleven Inc., Target and Home Depot, not to mention last year’s. It may prove to be particularly bad since it involves luxury brands with customers who “are more likely to purchase high-ticket items regularly,” many of whom are international travelers, they expect a “significant surge in fraudulent in-person purchases in the coming months, which will explicitly affect foreign banks.”
These particular group of hackers were also behind notorious data breaches that affected companies including Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels
What should you do if your data was compromised: Here are some basic guidelines for different types of compromised data
If the compromised data was… …A password Change your password for that account immediately. If you use the same code for other accounts, change those as well.
…Email address Watch your inbox for messages requesting information or requesting you to click on a link. If you receive a suspicious email from a company you do business with, call the sender to verify that they did indeed send it.
…Credit card number Call the creditor and ask for a new card with a new number. Some creditors will automatically reissue cards to affected customers in wide-scale breaches. Know however that because the number rather than the card itself was stolen, you are not liable for any authorized purchases under the Fair Credit Billing Act.
…Debit card number Since the card was not lost, you are not liable for any unauthorized transactions if you report them within 60 days of receiving your statement. Still, you should cancel the card and change your pin. If the bank account number was also exposed, close the account and open a new one with a new number. Consider asking for a verbal password, too, which prevents bank personnel from discussing your account with anyone unable to provide that password.
…Social Security number. Contact one of the three major credit reporting agencies and have them place a fraud alert on your account. That agency will then be legally bound to notify the other two agencies to do the same. An alert lets lenders know to take extra care verifying personal information before issuing credit and entitles you to a complimentary credit report from each agency. Review this for suspicious activity. You should also place a credit freeze on your account, which will prevent a credit reporting company from releasing your credit report or score without your consent.
Sometimes the letters from breached companies also contain offers for free credit report monitoring provided by the company. While these programs are not generally worth paying for—since you can monitor your own credit for free—you may as well accept it if it’s being handed out. Monitoring services will alert you to some uses of your SSN quicker than you may be able to spot through your credit report, meaning you can resolve any problems quicker.