Card Data Stolen From 5 Million Saks and Lord & Taylor Customers

Hudson's Bay said on Sunday that data from card payments in some of its Saks and Lord & Taylor stores in North America had been compromised. From a report: A well-known ring of cybercriminals has obtained more than five million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity research firm that specializes in tracking stolen financial data. The data, the firm said, appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month. The Hudson's Bay Company, the Canadian corporation that owns both retail chains, confirmed on Sunday that a breach had occurred.

"We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America," the company said in a statement. "We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."

Looks like someone...

[PeterGM]

... needs to get Saked.

The solution

[Ol+Olsoc]

The CEO of these companies are going to have to face some prison time. Otherwise these companies simply do't give a STD fuck about giving your credit card information away. Why would they. Even if fined, it's just a itty bitty CODB issue.

Send one of them to a max security prison toe get a little butt boning time, and we'll see the problem fixed in no time.

The crudeness of this post was quite intentional.

Re:The solution

Currently, anyone who handles credit cards is supposed to follow PCI-DSS rules, including yearly audits for PCI compliance. Unfortunately, the entire system is a sham.

The companies doing the audits have a financial interest in making sure everyone passes their audit, otherwise they risk losing business.

There is no penalty for shitty security, due to the fact that nobody ever fails a PCI audit.

Until PCI rules are actual law, audited by a non-profit agency with the authority to shut down anyone not in compliance, these problems will continue and get worse.

Re:The solution

[Ol+Olsoc]

The CEO of these companies are going to have to face some prison time.

No, that is not the solution. America already imprisons far more people than any other country, four times more than China, Russia, or Iran.

No crime, no punishment, no solution, the situation continues just the same as it has occured for years. Perhaps a stern talking to is in order, and a promise to go to their room and think about what their company has done to millions, and back to work waiting until the next breach.

Re:The solution

[Ol+Olsoc]

No crime, no punishment, no solution

If that were actually true, America would have by far the world's lowest crime rates. It doesn't. In the developed world, it has one of the highest crime rates. You should read up on "evidence based reasoning".

You are conflating some of the silly and stupid things we have put people ln jail for, and making a broad generalization that since at one time, simple marijuana possession could get you 30 years or so is now the same thing as this.

In addition, you have made a rather interesting leap to assuming a lot of things about me.

n addition, you've presented a mighty fine non-sequitur which is that since 'Murrica jails a lot of people that no more should be jailed because we jail a lot of people.

Our current CC system is DESIGNED to be insecure, because Visa and MasterCard have no incentive to fix it, and actually benefit from additional fees for chargebacks. Blaming the merchants (who bear much of the cost of fraud) and/or end users (who also bear part of the cost) is silly.

You are correct - no incentives. I propose adding some real nice and effective incentives.

... back to work waiting until the next breach.

You are completely missing the point. With a proper 2FA or 3FA system, disclosure of CC#s DOES NOT MATTER, because there would no longer be any reason to pretend they are "secret". In fact, the CC#s themselves would matter so little, that we could just print them directly on the cards.

Isn't "proper" the issue? I use 2 factor for a lot of my online life. I also decline any storage of my card options - but I know damn well they store the CC info anyhow. Right down to that 3 digit number on the back of the card. That's a 2FA, I get texts on my phone for authorization as well. There's your 3FA. I have ot use my zip when I use my gas card outside of my local stations. Its all CC security theater.

I've more often relied on my card issuers to keep things clean as their algorithms note any purchase that is out of my normal patterns, and an actual human calls to verify the transaction. Same with any big ticket purchases. They put a hold on the account and the phone rings immediately. The only time this has been a real problem was once when my wife tried to fuel her car in one city at the same time I was fueling mine in another. I trust the CC issuer a hella lot more than any business I deal with.

But the situation is what it is. Businesses shouldn't be allowed to store CC numbers period. And as I learned a long time ago, some times you only get results when you make your problem someone else's problem. And that person is the person who can fix it.

Back to waiting for the next breach.

So typical

[RandomFactor]

"will offer those impacted free identity protection services, including credit and web monitoring."

Translation - bit of an expense for a year to pay for this, then we are off the hook.

Yet the individual remains at risk for the rest of their life.

At a bare minimum when they lose your data, credit monitoring should be for life. Also full replacement cost for compromised credit cards should be included.

Then we move into other information often lost due to this kind of negligence that need replacement mechanisms also - SSN, DL#...

Re:Why are CC Numbers Exposed?

Why are credit card numbers even available on an internet facing DB?

Because convenience is more important than security. If you return an item to a store they can just scan your receipt and issue a credit to your card.

Re:When are we going to run out

[RandomFactor]

I heard that they'll be moving to the CCv6 standard when the number space starts to get low. Should provide enough credit card numbers for every molecule in the solar system.

There's also a private credit card capability defined in RFCC 1918 (*) that is being used to mitigate the issue in many cases.

(*) "Request for Credit Card"

I'm trying to care

[PopeRatzo]

Who the hell shops at Saks Fifth Avenue or Lord & Taylor, anyway? If someone is willing to pay $650 for a shitty blue track suit that looks like one you could pick up for $3 at a local Goodwill store, then whoever hacked the database could probably make better use of their money.

You don't believe me, you say? Nobody would pay $650 for what looks like a bad K-Mart track suit, you say?

https://www.saksfifthavenue.co...

Microsoft Windows strikes again

[najajomo]

'Gemini Advisory alleges the thief this time is known as JokerStash or Fin7. The hackers sent phishing emails to company employees.

If the recipient clicked on the attachment, which is meant to appear as an invoice, the hackers infected the system, according to the Associated Press.' link