The Saks Fifth Avenue and Lord & Taylor department-store chains have suffered a security breach that has compromised shoppers’ personal and financial information.
Hackers claim to have stolen five million credit-card and debit-card records from the stores and have been releasing them for sale on dark web forums, according to a notice published Sunday by Gemini Advisory LLC, a New York-based cybersecurity firm.
A spokesman for Hudson’s Bay Co. HBC 3.60% , which owns the two chains, confirmed a data security breach involving customer payment card data at its Saks Fifth Avenue, Saks Off 5th and Lord & Taylor chains in North America.
The spokesman said there was no indication at this time that the breach affected its e-commerce operations, other digital platforms such as Gilt Groupe, or other banners, including the Hudson’s Bay department store chain in Canada, or Galeria Kaufhof in Germany.
“We have identified the issue, and have taken steps to contain it,” the spokesman said, adding that the company is coordinating with law enforcement authorities. Customers will be offered free identity protection services, including credit monitoring, and won’t be liable for fraudulent charges, he said.
So far, 125,000 cards that had been used at Saks or Lord & Taylor have been released for sale, according to Gemini Advisory, and some were used as recently as last month, according to Dmitry Chorine, Gemini Advisory’s chief technology officer.
The group behind the hack is known as JokerStash Syndicate or Fin 7. They appear to have penetrated the retailers’ point of sale systems, Mr. Chorine said.
Following previous breaches, the JokerStash group has released credit-card data in smaller batches, to avoid flooding the market for illegally obtained payment credentials, Mr. Chorine said.
The incident is the latest in a string of hacks that have compromised consumer data. Nearly 148 million U.S. consumers had personal information stolen, including parts of their driver’s license, as part of a breach last year at Equifax Inc., a credit-ratings firm. In 2014, as many as 70 million people had their name, address or phone number taken in a Target Corp. breach. Other retailers, including Home Depot Inc. and Neiman Marcus Group Ltd., have also been hacked.
To make their systems more secure, retailers have been switching to a new form of payment called EMV, for Europay Mastercard and Visa, which uses a computer chip to authenticate transactions.
Hudson’s Bay said all Saks Fifth Avenue and Saks Off 5th stores had EMV installed by the fall of 2016, while Lord & Taylor stores were equipped with the new system by February 2017.