Some Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores suffered security attacks on their in-store point-of-sale systems last year, leading to about 5 million credit and debit card numbers being stolen, according to a New York Times story that referenced a report from security research firm Gemini Advisory.
Russian hacker syndicate Fin7 appears to have been responsible, according to Gemini Advisory. The hacker group has so far offered about 125,000 stolen card numbers — the majority of them obtained from New York and New Jersey stores — for sale on the dark web.
The Hudson's Bay Company, which owns all three of the retail store brands affected, subsequently confirmed in a statement that certain stores had been affected by a "data security issue," that it is continuing to investigate the incident and that it will offer further details to affected customers as the investigation progresses.
Gemini in its report described this breach as "amongst the biggest and most damaging to ever hit retail companies."
The massive breach comes at an especially bad time for the retailer. Just last week the company reported that same-store sales declined about 2.4% in the fourth quarter of 2017. That wrapped up a year in which the company, under heavy pressure from an activist investor, closed about 27 stores and sold its flagship Lord & Taylor store in New York City.
New CEO Helena Foulkes, who came on board in February after former CEO Jerry Storch abruptly departed, already had to deal with the need for a strategic makeover and a decision about whether or not the company will still look into mergers or privatization. Now she also has to grapple with a data breach at a time when operators of brick-and-mortar stores can't exactly afford to give customers more reasons to stay away from those stores.
Data breaches continue to be a growing threat for retailers and brands. The Hudson's Bay breach was not even the only attack to be discovered in the past week, as Under Armour also admitted that its MyFitnessPal app was breached in an incident that left the usernames, e-mail addresses and passwords of as many as 150 million users vulnerable.
In 2017 alone, we saw data breaches that resulted from malware being planted on the POS systems in stores operated by The Buckle, Eddie Bauer, Kmart and Forever21.
Even with technology, such as EMV chips, more widely adopted, information remains vulnerable.
"EMV chip card acceptance can help merchants distinguish between real and fake payment cards," Ruston Miles, founder and chief innovation officer of Bluefin Payment Systems, told Retail Dive via e-mail. "However, EMV does nothing to stop hackers from using malware to steal card data from POS systems." Miles added that further protections like industry-standard encryption and tokenization are needed (and if you have those capabilities, they need to be turned on. In the case of Forever21's breach, they apparently were not).
Terry Ray, CTO of data security technology company Imperva, said in an e-mail to Retail Dive that it may take more than investments in new security systems for Hudson's Bay to protect its customers.
Ray said many organizations continue to have problems with discovering data breaches, and understanding what they are dealing with once they find them, which is why the Hudson's Bay data breach and others seem to go on for months before they are stopped. (The Hudson's Bay breach started last May and was ongoing until very recently, according to the Times.)
"Most attacks are designed to run under the radar, and the methods of breach constantly evolve," Ray said. "This requires that cyber security teams have effective funding, adequate staff and vast expertise. Sadly, none of those three are common."
Can Hudson's Bay learn from the sector's security shortcomings? This is the same question seemingly asked after every retail data breach, with only the name of the company being much different. We have yet to see many companies come up with an adequate answer.