TORONTO/NEW YORK, April 1 (Reuters) - Retailer Hudson's Bay Co on Sunday disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America.
One cybersecurity firm said that it has evidence that millions of cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year, but added that it was too soon to confirm whether that was the case.
Toronto-based Hudson's Bay said in a statement that it had "taken steps to contain" the breach but did not say it had succeeded in confirming that its network was secure. It also did not say when the breach had begun or how many payment card numbers were taken.
“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the statement said.
A company spokeswoman declined to elaborate.
The 5 Worst Retail Data Breaches
The 5 Worst Retail Data Breaches
Affected: 56 million cards.
Duration of compromise: Five months.
Tactic: Malware was installed to skim payment card data; unclear how hackers found an entry into the company's network.
Analysis: "Home Depot's situation is not only a PR nightmare for the home improvement colossus, but it is becoming the poster child for poor security practices across the board. Based upon the enormity of their footprint and alleged poor security, I'm mystified that it took as long as it did for them to be breached. Clearly, they did not heed Target's Paul Revere moment with sufficient urgency."
Affected: 40 million payment card numbers and 70 million other pieces of customer data; 98 million people.
Duration of compromise: Nov. 30 to Dec. 15, 2013.
Tactic: Used credentials of a heating, ventilating and air conditioning vendor to get into Target's network to install the malware to point of sale systems.
Analysis: "In a nation where everything is super-sized, Target (TGT) was one of the first true big-box retailers thrust into the spotlight after their mega breach. While a number of their executive team members have walked the plank and their board is the target of litigation, and their bottom line and share price have taken a hit, the breach highlights the importance of scrutinizing every vendor's security practices – or at least looking into cyber insurance to mitigate the damage of a vendor caused breach. This was a Paul Revere moment for the retail industry. Unfortunately, recently announced retail mega breaches indicate that not enough organizations have taken it as seriously as they should have."
Affected: As many as 200 of its grocery and liquor stores and millions of cards; credit/debit account information possibly stolen.
Duration of compromise: Almost one month.
Tactic: Network access to system that processes transactions.
Analysis: "Little information about this breach has surfaced, but one can only suspect the tactic was similar to that of other big breaches -- POS malware. And according to Avivah Litan, a fraud analyst at information technology firm Gartner, when someone uses a debit or credit card, there's a one in five chance malware is capturing that information. Although Supervalu (SVU) execs say it's not clear if account information has been stolen, scary stats like this suggest otherwise."
Affected: 3 million customer credit and debit cards (they also had a breach in 2011 where skimmers were installed on about 70 POS systems and financial information was stolen). Affected systems contained certain payment card information, such as credit/debit card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer information, such as name, address or debit card PIN, was at risk in connection with this issue, however, current automated bank systems make it all to easy to change debit card pin numbers.
Duration of compromise: Two separate eight-month-long security breaches.
Tactic: POS malware.
Analysis: "Unfortunately, in the breach lottery Michael's hit the exacta -- old-school skimmers installed in the dead of night on their POS systems did the trick in the first breach, and the now-popular POS malware scorched them for a second time -- for 3 million. Two high-profile breaches in a couple of years isn't a goodwill builder for the craft giant."
Affected: Usernames and passwords of employees and users.
Duration of compromise: Unknown.
Tactic: The origin of the breach comes from hackers compromising a small number of employee log-in credentials, which gave access to eBay's (EBAY) corporate network. EBay says it is working with law enforcement and leading security experts to "aggressively" investigate the matter. Appears to be from a phishing email.
Analysis: "Sophisticated spear phishing scams can turn even the most savvy and sophisticated employee into an unwitting co-conspirator. Comprehensive, continuous security training for all employees, implementation of tough security protocols, use of intricate passwords and rigorous outside testing and monitoring can help avoid a reputation damaging breach."
Hudson's Bay disclosed the incident after New York-based cyber security firm Gemini Advisory reported on its blog that Saks and Lord & Taylor had been hacked by a well-known criminal group known as JokerStash.
JokerStash, which sells stolen data on the criminal underground, on Wednesday said that it planned to release more than 5 million stolen credit cards, according to Gemini Chief Technology Officer Dmitry Chorine.
The hacking group has so far released about 125,000 payment cards, about 75 percent of which appear to have been taken from the Hudson's Bay units, Chorine told Reuters by telephone.
The bulk of the 5 million card numbers that JokerStash said it plans to release are likely from Saks and Lord & Taylor, but it is too early to say for sure, Chorine said.
"It’s hard to assess at the moment, primarily because hackers have not released the entire cards in one batch," he told Reuters.
Alex Holden, chief information security officer with cybersecurity firm Hold Security, confirmed that the 125,000 cards had been released by JokerStash but said it was too soon to estimate how many had been taken from Hudson's Bay.
Affected stores include Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor, according to Hudson's Bay.
There is no indication the breach involved online sales of those stores or its Hudson’s Bay, Home Outfitters and HBC Europe units, the company said.
The company said that customers will not be liable for fraudulent charges resulting from the breach.
(Reporting by Jim Finkle in Toronto and David Henry in New York Editing by Bill Rigby and Steve Orlofsky)