5 million credit cards
exposed in Saks and Lord & Taylor data breach
By Paul Ducklin, Sophos
April 4, 2018
A holiday weekend without a big data breach story!
In your dreams, sadly – because in real life, the mainstream media in North America has been full of Easter news about a large-scale exposure of credit card data from Saks Fifth Avenue and other brands operated by Canadian retail giant Hudson’s Bay Company, or HBC for short.
A Dark Web monitoring company called Gemini Advisory announced the breach on 01 April 2018 (it wasn’t a joke) on Twitter:
Advisory itself is a bit of a mystery – there’s no
address or phone number on the company’s website, and
According to the company, it is:
Gemini Advisory’s claim in this data breach case is a bullish one, apparently based on an advert in an underground forum published by a crook going by the handle of JokerStash:
breach was apparently dubbed
The mention of “track dumps” suggests that the stolen data derives from old-style swipe-card transactions, where the contents of the magnetic stripe data on your card is uploaded in its entirety from the card reader to the payment processing terminal, typically a Windows PC, for processing within the merchant’s network.
Chip and PIN transactions avoid that risk, but many US merchants still seem to prefer customers to swipe their cards even if they are chip-enabled – apparently the transactions are slightly faster if swiped rather than chipped, so both buyers and sellers seem to be happy to live in the past for the sake of a few seconds.
HBC doesn’t mention the breach on its Twitter feed or its own website, with its most recent press release dated nearly a month ago, trumpeting in shouty capitals that HUDSON’S BAY ANNOUNCES BRIAN GLUCKSTEIN AS NEW HOME DESIGN AMBASSADOR.
Saks Fifth Avenue, to its credit, has a link at the top of its main page entitled Important Message for Our Customers Regarding Payment Card Security Issue, but there’s still not a lot to go on there.
The company insists, three times, in fact, that:
The affected locations where data was harvested aren’t mentioned explicitly, with a blanket statement saying simply that “certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America” were affected – suggesting that the breach affected multiple countries, as well as multiple stores.
What to do?
Saks Fifth Avenue insists – as in the infamous Target breach back in 2013 – that the breach involved in-store payments only, with no compromise of its online e-commerce network, suggesting that some sort of data-logging or RAM-scraping malware on cash registers might have been involved.
Chip and PIN helps to sidestep this sort of attack because your card data is never shoved into memory on the retailer’s network – at least some of the cryptographic processing required to authorise the transaction is done internally on the card itself.
We therefore recommend: