Three Canadian locations of department store Saks were exposed to the data breach that parent company Hudson’s Bay Co. disclosed over the weekend, says a New York-based cybersecurity firm.
Hudson’s Bay, known as HBC,Â released little information Sunday on the breach itself, but Gemini Advisory LLC said it had analyzed the available data and found information from five million credit cards had been compromised.
Gemini said in a report that the information was stolen from 83 Saks Fifth Avenue or Saks Off Fifth stores, and from all locations of Lord Taylor, a U.S. department store chain owned byÂ HBC.
The firm found that three Canadian Saks locations, all in Ontario,Â were exposed to the breach:
- Sherway Gardens in Toronto.
- Bramalea City Centre in Brampton.
- Pickering Town Centre.
HBC itself hasn’t saidÂ whether any of its Canadian locationsÂ were affected.Â It says the investigation is ongoing,Â but there’s no indication the breach affectedÂ the company’s digital platforms or Hudson’s Bay and Home Outfitters stores.
Influx of stolen credit card data
Dmitry Chorine, the co-founder of Gemini Advisory, said his firm works to improve response to data breaches by analyzing stolen data appearing on the so-called dark web.
Chorine said the firm started looking into the breach when it noticed an influx of stolen credit and debit card information being offered for sale on the dark web last week.
Upon analyzing the data, Chorine said the firm was able to determine that shoppers at all Lord Taylor and at certain Saks locations were at risk of having their information stolen.
“On March 28, we saw a significant spike of stolen credit cards offered for sale on one of the marketplaces,”Â Chorine said.
“When we checked, we saw there was an advertisement stating that more than five million credit and debit cards will be offered for sale, and that’s when we decided to research this particular breach.”
The data that Chorine and his team found wereÂ being offered on a dark web marketplace operated by a hacking group called JokerStash, which Chorine says has been active in hacking retail and hospitality companies for the past three years.
Gemini Advisory said Sunday it had found stolen data on 125,000 payment cards dating from as early as March 2017Â and as late as March 2018.Â About 75 per cent of the credit and debit cards appear to have been taken fromÂ theÂ HBC-ownedÂ retailers.
Chorine said only certain Saks locations were affected because the outlet was in the process of switching from card-swipe technology to EMV chip technology, which is already commonly used in Canada.
Customers not liable for charges, HBCÂ says
HBC saidÂ there could be fraudulent charges to customers’ accounts because of the breach, but addedÂ those customers won’t be liable to pay them.
It’s asking clients to review their account statements to see if there haveÂ been activity or transactions they don’t recognize.
The company saidÂ it will notify customers affected by the breach as quickly as possible and will offer free identity protection services once they learn more about the breach.
The company also said there’s no indicationÂ social security numbers or driver’s licence information were affected by the breach.Â
Article source: http://www.cbc.ca/news/business/saks-data-breach-hbc-canadians-1.4601985?cmp=rss