Hackers have stolen the records of up to 5 million credit and debit cards, including at certain New York and New Jersey Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores, a cyber security firm said Sunday.
Hudson’s Bay Co., parent of the department stores, is investigating the situation, it said.
“Once we have more clarity around the facts, we will notify our clients rapidly and will offer those impacted free identity protection services, including credit and web monitoring,” the company said in a statement shortly after the cybersecurity company, Gemini Advisory, made news of the hack public.
“We encourage our clients to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize,” the retailer said.
Hudson’s Bay is examining whether the issue included those using company and non-company-issued credit cards.
There is no indication the breach affected online clients, it said.
For Hudson’s Bay, this is the second embarrassing breach in about a year.
Last March, tens of thousands of Saks’ customers’ addresses and phone numbers were inadvertently put on the retailer’s Web site.
At the time Hudson’s Bay said, “The security of our clients is of utmost priority.”
Gemini Advisory purport the thief this time is known as JokerStash or Fin7. The hackers sent phishing e-mails to company employees.
If the recipient clicked on the attachment, which is meant to come as an invoice, the hackers infected the system, according to the Associated Press.
Hudson’s Bay told The Post its information security program is a mix of industry-leading, third-party security services and global, in-house staff support.
Last June, Hudson’s Bay declared it laid off 2,000 workers in an effort to cut costs. It is unclear if any were in information security.
“Security is ever the first thing to get cut,” said Harry Houck, the former head of fraud investigations at Citigroup, making it clear he did not know if this was the case at Hudson’s Bay.
Credit card users who trust they were hacked should demand from their bank a new credit card and PIN number or cancel their cards, Houck said.
Those who buy hacked cards sometimes do not use the stolen information for several years, Houck said.
“People get hit in these attacks three years later who didn’t cancel their cards,” Houck said.
Restoring client confidence will be a test for new Hudson’s Bay Chief Executive Helena Foulkes, former president of CVS Pharmacy, who only took the helm Feb. 19.
The Toronto company’s shares have fallen from C$10.71 a year ago to C$8.92 on Friday.