Three department store chains in New York were the targets of a year-long cyberattack that has resulted in the theft of over 5 million credit and debit card details.
Saks Off Fifth, Saks Fifth Avenue and Lord & Taylor are still struggling to make headway in the investigations of an attack that possibly did more damage than is presently known by the public.
The three department store chains’ Canada-based parent company, Hudson’s Bay Company, only revealed details about the breach last week, following up with promises to stay on top of the situation.
So far, at least 5 million Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor customers are at risk of identity theft and credit card theft as some of their details are already on the dark web, according to a report from Gemini Advisory, a New York-based cybersecurity firm.
Stolen Data Listed for Sale on Dark Web
Gemini Advisory estimates that the stolen cache of information, which has been labeled as BIGBADABOOM-2, belongs to roughly 5 million credit and debit cards, but only 125,000 of these cards have had their details put up for sale as of now.
By cross-checking with banks in the region, the security experts were able to ascertain that all these stolen cards came from Saks Off Fifth, Saks Fifth Avenue and Lord & Taylor customers.
The security firm also confirmed that the hackers responsible went by the collective names JokerStash and Fin7, a hacking group that is known amongst cybersecurity researchers.
This hacking group is said to be advertising the stolen data all over the dark web, and as their goods attract customers, it also undoubtedly earns them some bragging rights and a lot of unwanted attention from the authorities.
Not the First Breach of Its Kind
The attack is reminiscent of a string of previous data breaches in retail outlets such as Home Depot, Neiman Marcus and Target. These attacks were tailored to create a breach in the outlets’ point-of-sale systems.
It also comes just barely on the heels of the high-profile Equifax data breach that exposed personal data belonging to millions of American citizens. Although the attack on the credit bureau bears little resemblance to this one, their back-to-back occurrences are certainly cause for concern.
Gemini Advisory Chief Technology Officer Dmitry Chorine agrees that the number of prolific hacking outfits is worrying.
Furthermore, this is not Fin7’s first attack on chain outlets. Evidence points to the group being involved in a few other attacks on major restaurant and hotel chains, just as it showed that the hacking group had breached the systems of the Hudson’s Bay chain stores a year before the breach was finally discovered.
According to Chorine, cleverly crafted emails were used in what was an elaborate phishing attack that targeted high-ranking employees like managers and supervisors since their computers presumably had more access to the system.
Once these emails were clicked, invoice-like attachments would be seen. If these were opened, they proceeded to infect entire systems. This went on for a year unnoticed.
Chorine observed that the majority of the stolen cards were from customers in the metropolitan area of New York City and some of the Northeastern states in the U.S. He speculates that outdated credit card systems are to blame for the results and are likely the reason why the stores were targeted by the Fin7 hacking group in the first place.
Response from Hudson’s Bay
Hudson’s Bay is yet to confirm whether the security breach went beyond the three locations in New York although, at the moment, there are no indications that it affected any of their online stores, their Hudson’s Bay outlets in Canada, and oddly enough, all their Home Outfitters stores, even in New York.
In a statement, they expressed their deep regret for the incident and promised to assist their customers in any resulting issues.
Hudson’s Bay says it is currently taking measures to prevent any instances of fraud following the attack.
It has created security response pages for each of the three department stores (here, here and here) where customers can get more information on the breach.
In addition to that, the company has assured its customers that none of them will be liable to any charges of fraud should any of their card details fall into the wrong hands.