5 million credit and debit card records stolen in Saks Fifth Avenue data theft

Criminal hackers stole the records of 5 million credit and debit cards, which were used for in-store purchases at two Hudson’s Bay Company (HBC) stores, Saks Fifth Avenue and Lord & Taylor. The cards were advertised for sale by infamous JokerStash syndicate Fin7, which has a history of carrying out successful high-profile breaches, including with:

  • Whole Foods
  • Chipotle
  • Omni Hotels & Resorts
  • Trump Hotels

When presented with data records, several financial institutions tested and confirmed that they had all been used at those two stores. According to Gemini Advisory, the data breach is the most significant credit card heist in modern history.

HBC claims it has zeroed-in on the issue and contained it. It is also cooperating with the authorities during an ongoing investigation.

Further HBC data breach details

HBC said that there is “no indication” that online purchases were affected. A press release issued by HBC indicated that “[o]nce the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Gemini Advisory has provided additional breach details:

  • The largest number of stolen payment cards were from branches in New York and New Jersey
  • It is likely that all Lord & Taylor and 83 Saks Fifth Avenue branches were impacted across the US, plus a potential further three branches in Canada
  • The estimated time frame of the data compromise is from May 2017 to the present
  • Around 125,000 records were released for sale at the time of writing, with all 5 million records expected to be available in coming months

Protect your organization from a data breach

In the past few weeks, there have been a number of high-profile data breaches. Under Armour, for example, has had 150 million user accounts compromised. Don’t wait for your organization to be next. An adequate way to protect your data is to implement an information security management system (ISMS), which outlines the necessary policies, processes, and procedures to systematically approach information security.

ISO 27001 is the international standard describing best practice for an effective ISMS. Implementing an ISMS and obtaining ISO 27001 certification shows others that your organization has taken reasonable steps to ensure the confidentiality, integrity, and availability of your sensitive and confidential data. Testing and assessing your ISMS is essential to learn whether or not it is functioning as it should, and an opportunity to make any improvements necessary. Achieving ISO 27001 compliance – and certification – requires an internal audit, which can help you better understand your organization’s cybersecurity posture.

Free webinar: Assessing compliance: the ISO 27001 ISMS internal audit

On Wednesday April 4, 2018, 10:00 am (PDT)/1:00 pm (EDT), IT Governance will present a free webinar providing an overview of an internal audit. Topics covered include:

  • The requirements for an internal audit and internal audit program
  • The role of the internal auditor and ISMS audits
  • Mandatory documents for reviewing an ISO 27001-compliant ISMS
  • An evidence-based approach to reporting, identifying, and compiling nonconformities
  • Addressing common audit mistakes and challenges

Register for Assessing compliance: the ISO 27001 ISMS internal audit.