Hackers steal data from 5 million Saks, Lord & Taylor customers

Beware a shopping spree for cybercriminals as credit and debit card info goes on sale.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
Christmas season in Canada

Up to 5 million customers from Saks Fifth Avenue and Lord & Taylor had their information stolen.


In the cybercrime world, it's "hacks of Fifth Avenue."

Lord & Taylor and Saks Fifth Avenue announced Sunday that 5 million of their customers suffered a data breach, with cybercriminals stealing credit and debit card information. The breach affected Hudson's Bay Co., which owns both chains, in its North American stores.

The company said in an updated statement Monday that it believes the breach  "no longer poses a risk to customers shopping at our stores."

It's also creating a call center, at 1-855-270-9187, so people can call to see if they were affected by the breach.

Data breaches have become a commonplace risk for both customers and companies as hackers target corporations with weak cybersecurity. Last week, for instance, Under Armour announced that 150 million accounts from MyFitnessPal were stolen in a data breach. Entities from travel agencies to voter records have been hit by hackers. More than half of the US population is still feeling the aftereffects of Equifax's massive breach.

People are trusting companies to protect their data, and Hudson's Bay is the latest to show it couldn't.

Security researchers from Gemini Advisory said the majority of the stores affected were in New York and New Jersey, and the problem started in May 2017, ending when the breach was discovered. The hackers, from a group called JokerStash, also known as Fin7, put up more than 5 million stolen credit and debit cards for sale on the dark web, the researchers said.

The hacking group is also allegedly behind the breaches against Whole Foods, Chipotle and Trump Hotels. The researchers said that this was one of the "most damaging to ever hit retail companies."

"The theft of five million payment cards is undoubtedly among the most significant credit card heists in modern history," the researchers wrote.

That still pales in comparison to the information from 56 million credit cards stolen from Home Depot in 2014, or the data of 40 million customers hacked from Target.

Saks Fifth Avenue said it would be offering affected customers free identity protection, along with credit and web monitoring. The company said it's still investigating the breach and will notify affected customers as it learns more information.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.