Card Data Stolen From 5 Million Saks and Lord & Taylor Customers

Hudson's Bay said on Sunday that data from card payments in some of its Saks and Lord & Taylor stores in North America had been compromised. From a report: A well-known ring of cybercriminals has obtained more than five million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity research firm that specializes in tracking stolen financial data. The data, the firm said, appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month. The Hudson's Bay Company, the Canadian corporation that owns both retail chains, confirmed on Sunday that a breach had occurred.

"We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America," the company said in a statement. "We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."

Re:The solution

Currently, anyone who handles credit cards is supposed to follow PCI-DSS rules, including yearly audits for PCI compliance. Unfortunately, the entire system is a sham.

The companies doing the audits have a financial interest in making sure everyone passes their audit, otherwise they risk losing business.

There is no penalty for shitty security, due to the fact that nobody ever fails a PCI audit.

Until PCI rules are actual law, audited by a non-profit agency with the authority to shut down anyone not in compliance, these problems will continue and get worse.