A a cyber crime group called JokerStash (also known as Fin7) announced the release for sale of five million credit cards obtained from the “Saks Fifth Avenue” luxury department store and the “Lord & Taylor” stores.
How The Theft Was Done
According to Gemini Advisory, a cyber security firm specializing in tracking stolen financial data, the credit card data was stolen by installing malicious software in the cash registers of the stores. The software has been siphoning credit card data from May 2017 until last month.
Gemini researchers said that the entire network of Lord & Taylor was compromised along with 83 stores of Saks Fith Avenue. The majority of credit cards were stolen from store locations in New York and New Jersey.
The JokerStash group is known for also hacking into Whole Foods, Chipotle, Omni Hotels & Resorts, Trump Hotels, and other large companies. However, its latest hack of the Saks Fith Avenue and Lord & Taylor stores seems to have been one of more the most profitable, with the group obtaining over 5 million credit cards.
Hudson’s Bay Company (HBC), a Canadian retail group owns both Saks Fifth Avenue and Lord & Taylor stores, along with other retail brands, such as Galeria Kaufhof, Home Outfitters, and Gilt.com, a popular online shopping site. However, these last three companies don’t seem to have been hacked by JokerStash.
Ignoring Security Upgrades Gets You Hacked
As Maersk’s chair recently said, it’s imperative for companies to strive to secure their devices and networks as much as possible. Otherwise, it’s only a matter of time before they get hacked, too.
Saks Fifth Avenue and Lord & Taylor seem to have also learned this lesson the hard way. The two companies are among the few that have held out on upgrading their cash registers to using only EMV “chip and PIN” cards.
Now, the two companies not only have to deal with the negative press and their customers’ anger, but they are also liable for this data breach. A law passed in 2015, shifted liability to retail stores in case of credit card data breaches, unless said stores used EMV chip and PIN cards, in which case the liability would remain with the banks.
Gemini researchers recommended customers of the two retail chains to either replace their cards or setup transaction alerts to monitor for suspicious activity. The cyber security company anticipates a significant surge in fraudulent in-person purchases in the coming months using those stolen cards.
"Considering the typical weight of a credit card, that would likely add up to well over 60,000 lbs (27,000 kg). They must have used a big truck, or maybe a boat to haul them off. It must have been an impressive heist, but it seems like it would have been easier for them to just record the numbers somehow."
Anyway, one would have thought that these retail stores would have learned from the Target hacking disaster. Nope. As one who spent 10 years in the IT industry, corporation budgets list IT infrastructure at the bottom of priorities. Keep the doors wide open to save money for the bottom line and keep the stock holders happy. It's just insane stupidity.