Group Steals 5 Million Credit Cards From Saks Fifth Avenue

A a cyber crime group called JokerStash (also known as Fin7) announced the release for sale of five million credit cards obtained from the “Saks Fifth Avenue” luxury department store and the “Lord & Taylor” stores.

How The Theft Was Done

According to Gemini Advisory, a cyber security firm specializing in tracking stolen financial data, the credit card data was stolen by installing malicious software in the cash registers of the stores. The software has been siphoning credit card data from May 2017 until last month.

Gemini researchers said that the entire network of Lord & Taylor was compromised along with 83 stores of Saks Fith Avenue. The majority of credit cards were stolen from store locations in New York and New Jersey.

The JokerStash group is known for also hacking into Whole Foods, Chipotle, Omni Hotels & Resorts, Trump Hotels, and other large companies. However, its latest hack of the Saks Fith Avenue and Lord & Taylor stores seems to have been one of more the most profitable, with the group obtaining over 5 million credit cards.

Hudson’s Bay Company (HBC), a Canadian retail group owns both Saks Fifth Avenue and Lord & Taylor stores, along with other retail brands, such as Galeria Kaufhof, Home Outfitters, and Gilt.com, a popular online shopping site. However, these last three companies don’t seem to have been hacked by JokerStash.

Ignoring Security Upgrades Gets You Hacked

As Maersk’s chair recently said, it’s imperative for companies to strive to secure their devices and networks as much as possible. Otherwise, it’s only a matter of time before they get hacked, too.

Saks Fifth Avenue and Lord & Taylor seem to have also learned this lesson the hard way. The two companies are among the few that have held out on upgrading their cash registers to using only EMV “chip and PIN” cards.

Now, the two companies not only have to deal with the negative press and their customers’ anger, but they are also liable for this data breach. A law passed in 2015, shifted liability to retail stores in case of credit card data breaches, unless said stores used EMV chip and PIN cards, in which case the liability would remain with the banks.

Gemini researchers recommended customers of the two retail chains to either replace their cards or setup transaction alerts to monitor for suspicious activity. The cyber security company anticipates a significant surge in fraudulent in-person purchases in the coming months using those stolen cards.

This thread is closed for comments
3 comments
    Your comment
  • cryoburner
    Quote:
    Group Steals 5 Million Credit Cards From Saks Fifth Avenue

    Considering the typical weight of a credit card, that would likely add up to well over 60,000 lbs (27,000 kg). They must have used a big truck, or maybe a boat to haul them off. It must have been an impressive heist, but it seems like it would have been easier for them to just record the numbers somehow.
  • hellraiser06
    I hope you are not serious. The systems at the shops were hacked due to which all digital information transferred between a card and the cash register was recorded by the hackers. Which essentially means that the important information such as credit card number, name, CVV etc. was siphoned off. The cards were not physically stolen. Quit playing GTA V too much!

    "Considering the typical weight of a credit card, that would likely add up to well over 60,000 lbs (27,000 kg). They must have used a big truck, or maybe a boat to haul them off. It must have been an impressive heist, but it seems like it would have been easier for them to just record the numbers somehow."
  • 10tacle
    ^^I'm assuming he's being sarcastic (and I hope he is too).

    Anyway, one would have thought that these retail stores would have learned from the Target hacking disaster. Nope. As one who spent 10 years in the IT industry, corporation budgets list IT infrastructure at the bottom of priorities. Keep the doors wide open to save money for the bottom line and keep the stock holders happy. It's just insane stupidity.