Saks Fifth Ave, Saks OFF 5th and Lord & Taylor suffered a point-of-sale (POS) data breach that exposed more than 5 million credit and debit cards numbers, compromised the entire Lord & Taylor fleet as well as 83 Saks full-line stores and could date as far back as May 2017, according to a post from cybersecurity firm Gemini Advisory, which first identified the breach.
A statement posted on the Saks Fifth Ave website confirmed the security breach and indicates that the retailer has identified and contained the issue, and believes it no longer poses a risk to customers. Saks plans to offer credit and web monitoring services free of charge to anyone affected by the breach.
Most of the payment card information came from stores in the New Jersey and New York area, according to Gemini, and three locations in Ontario could be compromised. Saks Fifth Ave’s and Lord & Taylor’s e-commerce operations, as well as other brands under the Hudson’s Bay Company umbrella, do not seem to be affected, according to reports.
On Wednesday, the Fin7, aka JokerStash, hacking group took responsibility for the breach, offering information from 125,000 credit and debit cards for sale on the dark web, Gemini said.
A Wall Street Journal article indicates that both Saks and Lord & Taylor stores had upgraded to EMV-compliant point-of-sale systems by fall 2016 and February 2017, respectively, ahead of when the breach it estimated to have begun. EMV or chip-and-pin, a standard that has been in effect in Europe for a numbers of years, is believed to improve POS security on a number of fronts.
According to RSR Research managing partner Paula Rosenblum, retailers should be on high alert about their EMV-equipped payment systems, which may not be as secure as previously thought through EMV alone.
“Theoretically, EMV does not expose a credit card number to the POS system at all. So, if they had said ‘We were storing credit card numbers and the place we store them was compromised, I would say ‘Shame on you, HBC,’” Rosenblum said. “But the fact that they explicitly said their POS system had been compromised is a real head scratcher for me. The only thing I can figure is that they were not using point-to-point (P2P) encryption when sending the data to the credit card processor. That is not part of the EMV standard, but most retailers do it anyway, and now you can see why.”
A July 2016 report from RIS News shows that 53 percent of retailers believed that adopting P2P encryption and tokenization would effectively de-identify credit card data throughout the payment process. At the time, 53 percent of surveyed retailers said they were up to date with P2P encryption, while another 30 percent were upgrading.
IHL Group founder and president Greg Buzek said P2P and tokenization weren’t required as part of the U.S. version of EMV. What’s more, EMV the used a chip card and signature was never secure. “Having the PIN would have provided some level of security,” Buzek explained. “Chip and pin only protected the card brands and the only benefit to retailers was they wouldn’t get gouged from their banks in chargebacks if they were EMV compliant.
“But EMV never required encryption,” Buzek said. “We have always recommended P2P encryption AND tokenization, regardless of whether a retailer chose to be EMV compliant. That was the only thing that brought security. Having EMV without encryption and tokenization was simply fool’s security. And if Saks indeed was EMV compliant and did not have P2P encryption and tokenization, this is indeed a perfect example of that.”
Though an identical number of card details was compromised in the December 2017 Jason’s Deli Restaurants breach, Gemini believes the fallout from the Saks hack could be exponentially greater.
“While diners at the affordable fast-food chain are less likely to purchase hi-end electronics like Apple computers and Microsoft Surface Books, which are coveted by cybercriminals for their high liquidity, it is also easier for banks to identify unusual shopping patterns and promptly block out-of-pattern transactions,” according to Gemini. “However, cardholders who frequently shop at luxury retail chains like Saks Fifth Avenue are more likely to purchase high-ticket items regularly; therefore, it will be extremely difficult to distinguish fraudulent transactions from those of a legitimate nature, allowing criminals to abuse stolen payment cards and remain undetected for a longer period of time.”
A data breach last year points to systemic cybersecurity lapses at Saks. Tens of thousands of customer emails and phone numbers were exposed online unencrypted, according to a Buzzfeed article, after shoppers added products to their wish lists via insecure public WiFi.