On Sunday news broke that credit and debit card information from five million customers had been stolen from Saks Fifth Avenue and Lord & Taylor in a data breach orchestrated by FIN7.
On 28 March, FIN7 released a new batch of compromised details called “BIGBADABOOM-2” to its Joker’s Stash underground market hub. Security firm Gemini Advisory examined the dump and with the help of financial institutions traced it back to Saks Fifth Avenue and Lord & Taylor.
According to Gemini Advisory’s analysis, members of FIN7 compromised the entire network of Lord & Taylor and 83 Saks Fifth Avenue Locations as far back as May 2017. They then leveraged that compromise to steal five million customers’ credit and debit cards before offering them up for sale on their marketplace.
FIN7, a financially motivated threat actor with a history of targeting retail and hospitality organizations, has thus far released only 125,000 cards in its sale. Gemini Advisory expects the group will release the remaining information gradually over the next few months.
Hudson’s Bay Company (HBC), owner of both Saks Fifth Avenue and Lord & Taylor, accepted responsibility for the incident in a statement published on 1 April:
“HBC wanted to reach out to customers quickly to assure them that they will not be liable for fraudulent charges that may result from this matter. HBC has identified the issue, and has taken steps to contain it. Once the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”
The Canadian retail business group is planning on creating a dedicated call center for customers to learn more about the data breach. While it continues to work with law enforcement and financial institutions to discover how the data breach occurred, it’s urging customers to monitor their accounts for signs of suspicious activity.
Affected customers shouldn’t stop there. They should demand that Saks Fifth Avenue and Lord & Taylor be transparent about what security measures they’re implementing to prevent a similar incident from occurring in the future. According to Gemini Advisory’s analysis:
“This recent breach once again emphasizes the importance of a transition to the more secure EMV POS terminals in retail operations. Although many large retailers managed to migrate entirely from older generation magstripe terminals to EMV in 2017, several nationwide chains still have not done so.”
Hopefully, some of the actions to mitigate future data breaches will involve the implementation of security measures like data encryption, point-to-point encryption and tokenization to protect credit card data as it is collected and transmitted and access controls for the users accessing the data and network.
As a global leader in digital security, Gemalto offers a robust portfolio of enterprise security solutions and retail data security solutions that can help organizations, especially retail companies, secure their sensitive information against data breaches. Data breaches can have a significant impact on customer loyalty. According a recent Gemalto survey of more than 10,000 consumers worldwide, 70% said they would stop doing business with a company that experienced a data breach. Download the report to get more insights on data breaches and customer loyalty.