Skip to main content

Hudson’s Bay Clarifies Just How Long Customer Data Was Vulnerable

Hudson’s Bay Company has provided insight into its data breach investigation, including who is most at risk.

On Friday, HBC issued an update on the data breach it announced on April 1, one day after it contained malware in its point of sale systems. The retail group said customer payment data was compromised as far back as July 1, 2017 at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America.

The company said it’s possible that all doors were affected but not every customer who shopped in those stores during those times were compromised. For those who were, the malicious software stole consumers’ payment information but not other personal details like social security numbers or driver’s license numbers. HBC affirmed they would not be held responsible for any fraudulent charges. It is also providing impacted shoppers with identity theft protection services.

The company’s investigation shows that Saks Fifth Avenue cardholders got away unscathed. HBC also reiterated that the attack doesn’t seem to have affected its other nameplates or e-commerce or digital businesses.

“Our customers are our top priority and we take the protection of their information very seriously. We deeply regret any concern this issue may have caused,” HBC CEO Helena Foulkes. “Throughout this process, we have made it our goal to work quickly to provide support and information to our customers and we will continue to serve them with that same dedication.”

Industry insiders have speculated that HBC’s chip-and-pin, EMV-compliant system, could have been the culprit. Though thought to be more secure than other POS, RSR Research managing partner Paula Rosenblum said it’s best when used in conjunction with point-to-point (P2P) data encryption. Others said P2P encryption and tokenization is the safest method.

HBC is not the only retailer racing to restore trust after data breaches left shoppers exposed. In the last few weeks alone, Sears and Under Armour have been dealing with similar issues. And the privacy problems at Facebook have kept the topic in the news.