Slashdot Mirror

← Back to Stories (view on slashdot.org)

Card Data Stolen From 5 Million Saks and Lord & Taylor Customers (nytimes.com)

Posted by msmash on from the security-woes dept.

Hudson's Bay said on Sunday that data from card payments in some of its Saks and Lord & Taylor stores in North America had been compromised. From a report: A well-known ring of cybercriminals has obtained more than five million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity research firm that specializes in tracking stolen financial data. The data, the firm said, appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month. The Hudson's Bay Company, the Canadian corporation that owns both retail chains, confirmed on Sunday that a breach had occurred.

"We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America," the company said in a statement. "We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."

46 comments

  1. Looks like someone... by PeterGM · · Score: 4, Funny

    ... needs to get Saked.

    --
    There are no stupid questions, just stupid people.
    1. Re:Looks like someone... by Dogtanian · · Score: 1

      YEEEEEEEEEEEAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!

      "Filter error: Don't use so many caps. It's like YELLING.".... cool, I'll let Roger Daltrey know that the next time I see him.

      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
    2. Re: Looks like someone... by Anonymous Coward · · Score: 0

      This comes 1+ year after laying off hundreds of technical staff and replacing them with bottom dollar Indian contractors. These people can't be bothered to poop in the toilet and you expect them to give a shit about your card security?

  2. Donald Trump's data will be written on cell walls by Anonymous Coward · · Score: 0, Flamebait

    he's going to be in there for a loooooooong time

  3. The solution by Ol+Olsoc · · Score: 2
    The CEO of these companies are going to have to face some prison time. Otherwise these companies simply do't give a STD fuck about giving your credit card information away. Why would they. Even if fined, it's just a itty bitty CODB issue.

    Send one of them to a max security prison toe get a little butt boning time, and we'll see the problem fixed in no time.

    The crudeness of this post was quite intentional.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:The solution by Anonymous Coward · · Score: 3, Interesting

      Currently, anyone who handles credit cards is supposed to follow PCI-DSS rules, including yearly audits for PCI compliance. Unfortunately, the entire system is a sham.

      The companies doing the audits have a financial interest in making sure everyone passes their audit, otherwise they risk losing business.

      There is no penalty for shitty security, due to the fact that nobody ever fails a PCI audit.

      Until PCI rules are actual law, audited by a non-profit agency with the authority to shut down anyone not in compliance, these problems will continue and get worse.

    2. Re:The solution by ShanghaiBill · · Score: 1, Insightful

      The CEO of these companies are going to have to face some prison time.

      No, that is not the solution. America already imprisons far more people than any other country, four times more than China, Russia, or Iran. If we are going to start imprisoning people for incompetence, we will need to vastly expand our already bloated prison system and raise taxes to pay for that.

      I understand that it feels good to say "lock em up" every time we have a social problem, but if you think that is actually "the" solution, then you need to grow up.

      Here is the solution: Get rid of the idiotic CC system that relies on the same information being both widely known and secret. There is no way that mere knowledge of a CC# and exp-date should be enough to use it to buy stuff. The CVV helps a little, but not much since it is printed on the card. . These CEOs didn't design this retarded system. The bankers did. How about we lock them up?

    3. Re:The solution by Ol+Olsoc · · Score: 2

      The CEO of these companies are going to have to face some prison time.

      No, that is not the solution. America already imprisons far more people than any other country, four times more than China, Russia, or Iran.

      No crime, no punishment, no solution, the situation continues just the same as it has occured for years. Perhaps a stern talking to is in order, and a promise to go to their room and think about what their company has done to millions, and back to work waiting until the next breach.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    4. Re:The solution by ShanghaiBill · · Score: 1

      No crime, no punishment, no solution

      If that were actually true, America would have by far the world's lowest crime rates. It doesn't. In the developed world, it has one of the highest crime rates. You should read up on "evidence based reasoning".

      the situation continues just the same as it has occured for years.

      Then it should be obvious that we need to FIX THE PROBLEMS rather than just pounding harder on the defects.

      Our current CC system is DESIGNED to be insecure, because Visa and MasterCard have no incentive to fix it, and actually benefit from additional fees for chargebacks. Blaming the merchants (who bear much of the cost of fraud) and/or end users (who also bear part of the cost) is silly.

      ... back to work waiting until the next breach.

      You are completely missing the point. With a proper 2FA or 3FA system, disclosure of CC#s DOES NOT MATTER, because there would no longer be any reason to pretend they are "secret". In fact, the CC#s themselves would matter so little, that we could just print them directly on the cards.

    5. Re:The solution by Ol+Olsoc · · Score: 2

      No crime, no punishment, no solution

      If that were actually true, America would have by far the world's lowest crime rates. It doesn't. In the developed world, it has one of the highest crime rates. You should read up on "evidence based reasoning".

      You are conflating some of the silly and stupid things we have put people ln jail for, and making a broad generalization that since at one time, simple marijuana possession could get you 30 years or so is now the same thing as this.

      In addition, you have made a rather interesting leap to assuming a lot of things about me.

      n addition, you've presented a mighty fine non-sequitur which is that since 'Murrica jails a lot of people that no more should be jailed because we jail a lot of people.

      Our current CC system is DESIGNED to be insecure, because Visa and MasterCard have no incentive to fix it, and actually benefit from additional fees for chargebacks. Blaming the merchants (who bear much of the cost of fraud) and/or end users (who also bear part of the cost) is silly.

      You are correct - no incentives. I propose adding some real nice and effective incentives.

      ... back to work waiting until the next breach.

      You are completely missing the point. With a proper 2FA or 3FA system, disclosure of CC#s DOES NOT MATTER, because there would no longer be any reason to pretend they are "secret". In fact, the CC#s themselves would matter so little, that we could just print them directly on the cards.

      Isn't "proper" the issue? I use 2 factor for a lot of my online life. I also decline any storage of my card options - but I know damn well they store the CC info anyhow. Right down to that 3 digit number on the back of the card. That's a 2FA, I get texts on my phone for authorization as well. There's your 3FA. I have ot use my zip when I use my gas card outside of my local stations. Its all CC security theater.

      I've more often relied on my card issuers to keep things clean as their algorithms note any purchase that is out of my normal patterns, and an actual human calls to verify the transaction. Same with any big ticket purchases. They put a hold on the account and the phone rings immediately. The only time this has been a real problem was once when my wife tried to fuel her car in one city at the same time I was fueling mine in another. I trust the CC issuer a hella lot more than any business I deal with.

      But the situation is what it is. Businesses shouldn't be allowed to store CC numbers period. And as I learned a long time ago, some times you only get results when you make your problem someone else's problem. And that person is the person who can fix it.

      Back to waiting for the next breach.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    6. Re:The solution by Anonymous Coward · · Score: 0

      Still no fix for the 9419 hack.

      That's the biggest one out there today.

    7. Re:The solution by Anonymous Coward · · Score: 0

      Here is the solution: Get rid of the idiotic CC system that relies on the same information being both widely known and secret. There is no way that mere knowledge of a CC# and exp-date should be enough to use it to buy stuff. The CVV helps a little, but not much since it is printed on the card. . These CEOs didn't design this retarded system. The bankers did. How about we lock them up?

      And how is your solution any better? You simply say "dump it" and that's all. It is not a solution after all because how people are going to pay that is as convenient as using a CC? Cash? Phone (Samsung/Apple pay)? Wired money via bank? Do you need to carry thousands of dollars in cash to go shopping (look at many women)?

      Also, it is the company's fault that let their system infiltrated, not the bank. No one higher up (including CEO) in the company cares about security and never want to do it the right way because it costs more money. It wouldn't look good on their resume.

    8. Re:The solution by ShanghaiBill · · Score: 1

      The solution is to do what other countries do. These are proven, working solutions. These data breaches, and CC fraud in general, are "American problems", because most other countries don't allow me to spend your money simply by providing semi-public information.

  4. Why are CC Numbers Exposed? by Mikkeles · · Score: 1

    Why are credit card numbers even available on an internet facing DB? They are not required for individual transaction tracking as a separate id is generated for that. If a CC is presented at a store, it need only send the number to a server that returns only yea or nay, not any numbers. A similar means can apply for "1 click" and the like - the logon password sufficing.

    There will still be some vulnerabilities, but unlikely to be wholesale breach of millions of CC numbers at a time.

    --
    Great minds think alike; fools seldom differ.
    1. Re:Why are CC Numbers Exposed? by Anonymous Coward · · Score: 2, Insightful

      Why are credit card numbers even available on an internet facing DB?

      Because convenience is more important than security. If you return an item to a store they can just scan your receipt and issue a credit to your card.

    2. Re:Why are CC Numbers Exposed? by Anonymous Coward · · Score: 0

      Stop trying to make sense you!!

    3. Re:Why are CC Numbers Exposed? by Mikkeles · · Score: 1

      Your (complete) credit card number isn't on the receipt - just a transaction number which is used to reverse the transaction. No CC number need be exposed.

      --
      Great minds think alike; fools seldom differ.
    4. Re:Why are CC Numbers Exposed? by plover · · Score: 1

      Reread the summary above. The card numbers weren't on an "internet facing database." They were taken by malware implanted in their cash registers.

      --
      John
    5. Re:Why are CC Numbers Exposed? by ShanghaiBill · · Score: 1

      No CC number need be exposed.

      They need the CC# to do the refund. The customer might not have it with them, or might not remember which card they used. So the clerk needs to be able to retrieve the number.

      Of course this is stupid, and other countries do it differently. For instance, in China, the transaction ID itself can be used for the refund, without any need for the CC#. In fact, the CC# is not even needed for the original purchase. You just need the cell phone linked to the account, along with a 6 digit PIN, and either your face or your fingerprint. CC fraud in China is nearly non-existent.

  5. So typical by RandomFactor · · Score: 2

    "will offer those impacted free identity protection services, including credit and web monitoring."

    Translation - bit of an expense for a year to pay for this, then we are off the hook.

    Yet the individual remains at risk for the rest of their life.

    At a bare minimum when they lose your data, credit monitoring should be for life. Also full replacement cost for compromised credit cards should be included.

    Then we move into other information often lost due to this kind of negligence that need replacement mechanisms also - SSN, DL#...

    --
    --- Mercutio was right.
    1. Re:So typical by ShanghaiBill · · Score: 1

      Then we move into other information often lost due to this kind of negligence that need replacement mechanisms also - SSN, DL#...

      There is no need to replace SSNs and DL#s. We just need to ban their use in authentication. Knowing an SSN should not be used to authenticate identity. It should just be an index number.

      When my bank needs to authenticate my identity, they text a code to the cellphone linked to the account. That is not perfect, but it is WAY more secure than asking me for the last four digits of my SSN.

    2. Re:So typical by Anonymous Coward · · Score: 0

      At a bare minimum when they lose your data, credit monitoring should be for life.

      Considering I had three different cards compromised last year and one already this year I'm at four years if they'll stack it sequentially. Don't worry, lifetime monitoring will be the end result at the rate we're going.

  6. Cancel the credit cards and all current charges by Anonymous Coward · · Score: 0

    Perhaps this should be made law. That penalty would be so hefty that it might encourage any kind of credit card to do the right thing - implement the highest quality security that would prevent this kind of problem in the future. When are we going to get mandatory universal chip-and-pin in the US for credit cards including store issued ones? Some merchants still only have swipe POS terminals.

  7. Pay with cash as much as possible by Anonymous Coward · · Score: 0

    The global political and financial elite are trying to abolish cash and digitize everything; don't let them. At the end of the day, cash is secure and private. You can't get hacked paying in cash. Only use cards for purchases where you absolutely have to.

  8. When are we going to run out by Anonymous Coward · · Score: 0

    Of replacement card numbers. Most people have like 5 cards and they get compromised at 1 per year average rate. How many pristine, never used card numbers are actually left and when we will start reusing old numbers?

    1. Re:When are we going to run out by RandomFactor · · Score: 3, Funny

      I heard that they'll be moving to the CCv6 standard when the number space starts to get low. Should provide enough credit card numbers for every molecule in the solar system.

      There's also a private credit card capability defined in RFCC 1918 (*) that is being used to mitigate the issue in many cases.

      (*) "Request for Credit Card"

      --
      --- Mercutio was right.
    2. Re:When are we going to run out by ShanghaiBill · · Score: 1

      How many pristine, never used card numbers are actually left and when we will start reusing old numbers?

      CC#s are 16 digits, so there are 10 quadrillion combinations. That is roughly 1.4 million numbers per person.

      Only one of 10 of those numbers has a valid checksum, and there are some other restrictions (Visa always starts with "4", MC with "5", etc.), but there is no way we are ever going to run out of numbers.

    3. Re:When are we going to run out by Anonymous Coward · · Score: 0

      I don't think there's much danger of running out, but picking apart the credit card number there aren't that many.

      The first six digits per issuer of a MasterCard or Visa is going to be the same. The next 9 digits identify the account and the last digit is a checksum.

      So a billion per issuer.

      We might be getting 19 digit cards though:

      Prepare for 19-Digit Credit Cards

  9. A Former HBC Software Contractor by Anonymous Coward · · Score: 0

    I can tell you in my personal experience developing applications in coordination with HBC and HBC subsidiaries that they are bottom dollar bidder. They contracted an American company (one which I worked for) to develop the Canadian hosted 2010 Winter Olympics program and fulfillment services. To simplify, we hosted these programs out of an American state and VPN'd the system to look Canadian hosted. We built services with budget in mind, not security. What can I say..

    1. Re:A Former HBC Software Contractor by Anonymous Coward · · Score: 0

      I see that they can't even design a web page properly to make sure everything goes over https. In other words, no "lock" sign even on their checkout page unless you turn images off. That's pretty basic stuff and it doesn't inspire confidence that they won't pay for someone that can do even that correctly.

    2. Re:A Former HBC Software Contractor by Anonymous Coward · · Score: 1

      I was a full-time developer with them for a time. I and most of my coworkers left voluntarily or otherwise when they brought in Tata Consultancy Services and nuked the St Louis, MO and Jackson, MS offices. All of their security is atrocious and they do bid bottom dollar to incompetent contractors. Anybody who worked there saw this coming and I'm glad I left before this hit the band saw.

    3. Re: A Former HBC Software Contractor by Anonymous Coward · · Score: 0

      Funny thats what happened to us too.

  10. USA = shithole by Anonymous Coward · · Score: 0

    i can already hear the cries of MUH RUSSIA

  11. Probably never happen ... by CaptainDork · · Score: 1

    ... again.

    --
    It little behooves the best of us to comment on the rest of us.
  12. Worst April fools day joke ever! by Anonymous Coward · · Score: 0

    Or did they choose to disclose today, so that they could bury their disclosure in joke news?

  13. Why is the card number printed on the card? by kd3bj · · Score: 1

    In 2018, why are credit card numbers still a thing? A "secret" number printed on the front of your card, typically in raised, bold characters. And we wonder why these are stolen? Hand your card to a minimum wage worker who takes it away from you temporarily -- and we accept this?! The only reason why this irresponsible negligence is still perpetrated is because neither the banks nor the processors lose from these thefts. They MAKE money on chargebacks. Virtually all the cost is borne by the merchants. Even consumers are largely protected. It's a horrible system but the organizations with the power to change it, are not incentivized to change it.

  14. I'm trying to care by PopeRatzo · · Score: 2

    Who the hell shops at Saks Fifth Avenue or Lord & Taylor, anyway? If someone is willing to pay $650 for a shitty blue track suit that looks like one you could pick up for $3 at a local Goodwill store, then whoever hacked the database could probably make better use of their money.

    You don't believe me, you say? Nobody would pay $650 for what looks like a bad K-Mart track suit, you say?

    https://www.saksfifthavenue.co...

    --
    You are welcome on my lawn.
    1. Re:I'm trying to care by Anonymous Coward · · Score: 0

      I used to shop at Lord &Taylor. I bought a few shirts and even had an L&T credit card. This was nearly 30 years ago fresh out of college and if I got offered a discount to apply for a store credit card I figured, why not?

      It didn't even have an expiration date on it. I don't remember if I ever cancelled it but one would hope it wouldn't work. It was only used once or twice and they don't send me anything in the mail anymore.

    2. Re:I'm trying to care by Anonymous Coward · · Score: 0

      Probably a rapper would !

  15. An here is today's attack not stopped by APK by Anonymous Coward · · Score: 0

    And here we have today's attack not stopped by APK's work. I'm sure he will be along shortly to tell everyone how his work can stop this long after the fact once someone else creates a hosts file entry for him to use.

  16. Microsoft Windows strikes again by najajomo · · Score: 2

    'Gemini Advisory alleges the thief this time is known as JokerStash or Fin7. The hackers sent phishing emails to company employees.

    If the recipient clicked on the attachment, which is meant to appear as an invoice, the hackers infected the system, according to the Associated Press.' link

  17. Oh my by Anonymous Coward · · Score: 0

    Lord & Taylor!

    (it needed to be said)

  18. Apple Pay? by elohssa · · Score: 1

    This is why I use my phone to pay, wherever it's accepted.

  19. Good thing I don't shop there. by Mike+Van+Pelt · · Score: 1

    I used to sometimes enter the mall on my way to the food court via the "Off 5th" store. (Sak's discount bargain bin.)

    I never paid much attention to the store, but I saw a light jacket of the style I'd worn for years, and needed to get another one of. The "Sears" type places had quit carrying that type of jacket.

    Holy deleted expletives, six hundred dollars!! That's insane!! I can't do business with crazy people!!

    (It was marked down from $800.)

    After that, I found a different place to park where I didn't have to go through Saks. I didn't want to get any of the stupid on me. I've never entered a Sak's since.