Card Data Stolen From 5 Million Saks and Lord & Taylor Customers (nytimes.com)

← Back to Stories (view on slashdot.org)

Card Data Stolen From 5 Million Saks and Lord & Taylor Customers (nytimes.com)

Posted by msmash on Sunday April 1, 2018 @07:55AM from the security-woes dept.

Hudson's Bay said on Sunday that data from card payments in some of its Saks and Lord & Taylor stores in North America had been compromised. From a report: A well-known ring of cybercriminals has obtained more than five million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity research firm that specializes in tracking stolen financial data. The data, the firm said, appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month. The Hudson's Bay Company, the Canadian corporation that owns both retail chains, confirmed on Sunday that a breach had occurred.

"We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America," the company said in a statement. "We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."

25 of 46 comments (clear)

Min score:

Reason:

Sort:

Looks like someone... by PeterGM · 2018-04-01 08:00 · Score: 4, Funny

... needs to get Saked.

--
There are no stupid questions, just stupid people.
1. Re:Looks like someone... by Dogtanian · 2018-04-01 08:20 · Score: 1
  
  YEEEEEEEEEEEAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!
  
  "Filter error: Don't use so many caps. It's like YELLING.".... cool, I'll let Roger Daltrey know that the next time I see him.
  
  --
  "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
The solution by Ol+Olsoc · 2018-04-01 08:22 · Score: 2

The CEO of these companies are going to have to face some prison time. Otherwise these companies simply do't give a STD fuck about giving your credit card information away. Why would they. Even if fined, it's just a itty bitty CODB issue.
Send one of them to a max security prison toe get a little butt boning time, and we'll see the problem fixed in no time.
The crudeness of this post was quite intentional.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
1. Re:The solution by Anonymous Coward · 2018-04-01 08:57 · Score: 3, Interesting
  
  Currently, anyone who handles credit cards is supposed to follow PCI-DSS rules, including yearly audits for PCI compliance. Unfortunately, the entire system is a sham.
  The companies doing the audits have a financial interest in making sure everyone passes their audit, otherwise they risk losing business.
  There is no penalty for shitty security, due to the fact that nobody ever fails a PCI audit.
  Until PCI rules are actual law, audited by a non-profit agency with the authority to shut down anyone not in compliance, these problems will continue and get worse.
2. Re:The solution by ShanghaiBill · 2018-04-01 14:40 · Score: 1, Insightful
  
  The CEO of these companies are going to have to face some prison time.
  No, that is not the solution. America already imprisons far more people than any other country, four times more than China, Russia, or Iran. If we are going to start imprisoning people for incompetence, we will need to vastly expand our already bloated prison system and raise taxes to pay for that.
  I understand that it feels good to say "lock em up" every time we have a social problem, but if you think that is actually "the" solution, then you need to grow up.
  Here is the solution: Get rid of the idiotic CC system that relies on the same information being both widely known and secret. There is no way that mere knowledge of a CC# and exp-date should be enough to use it to buy stuff. The CVV helps a little, but not much since it is printed on the card. . These CEOs didn't design this retarded system. The bankers did. How about we lock them up?
3. Re:The solution by Ol+Olsoc · 2018-04-01 15:37 · Score: 2
  
  The CEO of these companies are going to have to face some prison time.
  No, that is not the solution. America already imprisons far more people than any other country, four times more than China, Russia, or Iran.
  No crime, no punishment, no solution, the situation continues just the same as it has occured for years. Perhaps a stern talking to is in order, and a promise to go to their room and think about what their company has done to millions, and back to work waiting until the next breach.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
4. Re:The solution by ShanghaiBill · 2018-04-01 16:17 · Score: 1
  
  No crime, no punishment, no solution
  If that were actually true, America would have by far the world's lowest crime rates. It doesn't. In the developed world, it has one of the highest crime rates. You should read up on "evidence based reasoning".
  
  the situation continues just the same as it has occured for years.
  Then it should be obvious that we need to FIX THE PROBLEMS rather than just pounding harder on the defects.
  Our current CC system is DESIGNED to be insecure, because Visa and MasterCard have no incentive to fix it, and actually benefit from additional fees for chargebacks. Blaming the merchants (who bear much of the cost of fraud) and/or end users (who also bear part of the cost) is silly.
  
  ... back to work waiting until the next breach.
  You are completely missing the point. With a proper 2FA or 3FA system, disclosure of CC#s DOES NOT MATTER, because there would no longer be any reason to pretend they are "secret". In fact, the CC#s themselves would matter so little, that we could just print them directly on the cards.
5. Re:The solution by Ol+Olsoc · 2018-04-02 02:20 · Score: 2
  
  No crime, no punishment, no solution
  If that were actually true, America would have by far the world's lowest crime rates. It doesn't. In the developed world, it has one of the highest crime rates. You should read up on "evidence based reasoning".
  You are conflating some of the silly and stupid things we have put people ln jail for, and making a broad generalization that since at one time, simple marijuana possession could get you 30 years or so is now the same thing as this.
  In addition, you have made a rather interesting leap to assuming a lot of things about me.
  n addition, you've presented a mighty fine non-sequitur which is that since 'Murrica jails a lot of people that no more should be jailed because we jail a lot of people.
  
  Our current CC system is DESIGNED to be insecure, because Visa and MasterCard have no incentive to fix it, and actually benefit from additional fees for chargebacks. Blaming the merchants (who bear much of the cost of fraud) and/or end users (who also bear part of the cost) is silly.
  You are correct - no incentives. I propose adding some real nice and effective incentives.
  
  ... back to work waiting until the next breach.
  You are completely missing the point. With a proper 2FA or 3FA system, disclosure of CC#s DOES NOT MATTER, because there would no longer be any reason to pretend they are "secret". In fact, the CC#s themselves would matter so little, that we could just print them directly on the cards.
  Isn't "proper" the issue? I use 2 factor for a lot of my online life. I also decline any storage of my card options - but I know damn well they store the CC info anyhow. Right down to that 3 digit number on the back of the card. That's a 2FA, I get texts on my phone for authorization as well. There's your 3FA. I have ot use my zip when I use my gas card outside of my local stations. Its all CC security theater.
  I've more often relied on my card issuers to keep things clean as their algorithms note any purchase that is out of my normal patterns, and an actual human calls to verify the transaction. Same with any big ticket purchases. They put a hold on the account and the phone rings immediately. The only time this has been a real problem was once when my wife tried to fuel her car in one city at the same time I was fueling mine in another. I trust the CC issuer a hella lot more than any business I deal with.
  But the situation is what it is. Businesses shouldn't be allowed to store CC numbers period. And as I learned a long time ago, some times you only get results when you make your problem someone else's problem. And that person is the person who can fix it.
  Back to waiting for the next breach.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
6. Re:The solution by ShanghaiBill · 2018-04-02 13:43 · Score: 1
  
  The solution is to do what other countries do. These are proven, working solutions. These data breaches, and CC fraud in general, are "American problems", because most other countries don't allow me to spend your money simply by providing semi-public information.
Why are CC Numbers Exposed? by Mikkeles · 2018-04-01 08:25 · Score: 1

Why are credit card numbers even available on an internet facing DB? They are not required for individual transaction tracking as a separate id is generated for that. If a CC is presented at a store, it need only send the number to a server that returns only yea or nay, not any numbers. A similar means can apply for "1 click" and the like - the logon password sufficing.
There will still be some vulnerabilities, but unlikely to be wholesale breach of millions of CC numbers at a time.

--
Great minds think alike; fools seldom differ.
1. Re:Why are CC Numbers Exposed? by Anonymous Coward · 2018-04-01 08:48 · Score: 2, Insightful
  
  Why are credit card numbers even available on an internet facing DB?
  Because convenience is more important than security. If you return an item to a store they can just scan your receipt and issue a credit to your card.
2. Re:Why are CC Numbers Exposed? by Mikkeles · 2018-04-01 09:59 · Score: 1
  
  Your (complete) credit card number isn't on the receipt - just a transaction number which is used to reverse the transaction. No CC number need be exposed.
  
  --
  Great minds think alike; fools seldom differ.
3. Re:Why are CC Numbers Exposed? by plover · 2018-04-01 14:59 · Score: 1
  
  Reread the summary above. The card numbers weren't on an "internet facing database." They were taken by malware implanted in their cash registers.
  
  --
  John
4. Re:Why are CC Numbers Exposed? by ShanghaiBill · 2018-04-01 17:01 · Score: 1
  
  No CC number need be exposed.
  They need the CC# to do the refund. The customer might not have it with them, or might not remember which card they used. So the clerk needs to be able to retrieve the number.
  Of course this is stupid, and other countries do it differently. For instance, in China, the transaction ID itself can be used for the refund, without any need for the CC#. In fact, the CC# is not even needed for the original purchase. You just need the cell phone linked to the account, along with a 6 digit PIN, and either your face or your fingerprint. CC fraud in China is nearly non-existent.
So typical by RandomFactor · 2018-04-01 08:27 · Score: 2

"will offer those impacted free identity protection services, including credit and web monitoring."
Translation - bit of an expense for a year to pay for this, then we are off the hook.
Yet the individual remains at risk for the rest of their life.
At a bare minimum when they lose your data, credit monitoring should be for life. Also full replacement cost for compromised credit cards should be included.
Then we move into other information often lost due to this kind of negligence that need replacement mechanisms also - SSN, DL#...

--
--- Mercutio was right.
1. Re:So typical by ShanghaiBill · 2018-04-01 17:11 · Score: 1
  
  Then we move into other information often lost due to this kind of negligence that need replacement mechanisms also - SSN, DL#...
  There is no need to replace SSNs and DL#s. We just need to ban their use in authentication. Knowing an SSN should not be used to authenticate identity. It should just be an index number.
  When my bank needs to authenticate my identity, they text a code to the cellphone linked to the account. That is not perfect, but it is WAY more secure than asking me for the last four digits of my SSN.
Re:When are we going to run out by RandomFactor · 2018-04-01 11:24 · Score: 3, Funny

I heard that they'll be moving to the CCv6 standard when the number space starts to get low. Should provide enough credit card numbers for every molecule in the solar system.
There's also a private credit card capability defined in RFCC 1918 (*) that is being used to mitigate the issue in many cases.
(*) "Request for Credit Card"

--
--- Mercutio was right.
Re:A Former HBC Software Contractor by Anonymous Coward · 2018-04-01 12:14 · Score: 1

I was a full-time developer with them for a time. I and most of my coworkers left voluntarily or otherwise when they brought in Tata Consultancy Services and nuked the St Louis, MO and Jackson, MS offices. All of their security is atrocious and they do bid bottom dollar to incompetent contractors. Anybody who worked there saw this coming and I'm glad I left before this hit the band saw.
Probably never happen ... by CaptainDork · 2018-04-01 12:19 · Score: 1

... again.

--
It little behooves the best of us to comment on the rest of us.
Why is the card number printed on the card? by kd3bj · 2018-04-01 13:05 · Score: 1

In 2018, why are credit card numbers still a thing? A "secret" number printed on the front of your card, typically in raised, bold characters. And we wonder why these are stolen? Hand your card to a minimum wage worker who takes it away from you temporarily -- and we accept this?! The only reason why this irresponsible negligence is still perpetrated is because neither the banks nor the processors lose from these thefts. They MAKE money on chargebacks. Virtually all the cost is borne by the merchants. Even consumers are largely protected. It's a horrible system but the organizations with the power to change it, are not incentivized to change it.
I'm trying to care by PopeRatzo · 2018-04-01 14:58 · Score: 2

Who the hell shops at Saks Fifth Avenue or Lord & Taylor, anyway? If someone is willing to pay $650 for a shitty blue track suit that looks like one you could pick up for $3 at a local Goodwill store, then whoever hacked the database could probably make better use of their money.
You don't believe me, you say? Nobody would pay $650 for what looks like a bad K-Mart track suit, you say?
https://www.saksfifthavenue.co...

--
You are welcome on my lawn.
Re:When are we going to run out by ShanghaiBill · 2018-04-01 17:17 · Score: 1

How many pristine, never used card numbers are actually left and when we will start reusing old numbers?
CC#s are 16 digits, so there are 10 quadrillion combinations. That is roughly 1.4 million numbers per person.
Only one of 10 of those numbers has a valid checksum, and there are some other restrictions (Visa always starts with "4", MC with "5", etc.), but there is no way we are ever going to run out of numbers.
Microsoft Windows strikes again by najajomo · 2018-04-02 03:47 · Score: 2

'Gemini Advisory alleges the thief this time is known as JokerStash or Fin7. The hackers sent phishing emails to company employees.

If the recipient clicked on the attachment, which is meant to appear as an invoice, the hackers infected the system, according to the Associated Press.' link
Apple Pay? by elohssa · 2018-04-02 05:00 · Score: 1

This is why I use my phone to pay, wherever it's accepted.
Good thing I don't shop there. by Mike+Van+Pelt · 2018-04-02 07:49 · Score: 1

I used to sometimes enter the mall on my way to the food court via the "Off 5th" store. (Sak's discount bargain bin.)
I never paid much attention to the store, but I saw a light jacket of the style I'd worn for years, and needed to get another one of. The "Sears" type places had quit carrying that type of jacket.
Holy deleted expletives, six hundred dollars!! That's insane!! I can't do business with crazy people!!
(It was marked down from $800.)
After that, I found a different place to park where I didn't have to go through Saks. I didn't want to get any of the stupid on me. I've never entered a Sak's since.