5 million credit cards exposed in Saks and Lord & Taylor data breach

A holiday weekend without a big data breach story!

Imagine that!

In your dreams, sadly – because in real life, the mainstream media in North America has been full of Easter news about a large-scale exposure of credit card data from Saks Fifth Avenue and other brands operated by Canadian retail giant Hudson’s Bay Company, or HBC for short.

A Dark Web monitoring company called Gemini Advisory announced the breach on 01 April 2018 (it wasn’t a joke) on Twitter:

Gemini Advisory itself is a bit of a mystery – there’s no address or phone number on the company’s website, and the Contact Us process is one of those mysterious web forms where you hand over your contact details and submit your query into the ether by clicking a [Send Message] button.

According to the company, it is:

Deeply embedded in the hacking underground, [where] our multilingual experts, who have years of experience consulting Fortune 100 companies, and federal law enforcement agencies, successfully conduct covert operations and provide ongoing support of cyber defense, threat intelligence, and fraud prevention teams.

Gemini Advisory’s claim in this data breach case is a bullish one, apparently based on an advert in an underground forum published by a crook going by the handle of JokerStash:

On March 28, 2018, a JokerStash hacking syndicate announced the release for sale of over five million stolen credit and debit cards. In co-operation with several financial organizations, we have confirmed with a high degree of confidence that the compromised records were stolen from customers of Saks Fifth Avenue and Lord & Taylor stores. We estimate the window of compromise to be May 2017 to present. Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised. The majority of stolen credit cards were obtained from New York and New Jersey locations. As of this writing, approximately 125,000 records have been released for sale, although we expect the entire cache to become available in the following months.

The breach was apparently dubbed BIGBADABOOM-2 (it’s not just bugs that have catchy names these days), and claimed to offer TR2+TR1 dumps of cards from dozens of different countries.

The mention of “track dumps” suggests that the stolen data derives from old-style swipe-card transactions, where the contents of the magnetic stripe data on your card is uploaded in its entirety from the card reader to the payment processing terminal, typically a Windows PC, for processing within the merchant’s network.

Chip and PIN transactions avoid that risk, but many US merchants still seem to prefer customers to swipe their cards even if they are chip-enabled – apparently the transactions are slightly faster if swiped rather than chipped, so both buyers and sellers seem to be happy to live in the past for the sake of a few seconds.

HBC doesn’t mention the breach on its Twitter feed or its own website, with its most recent press release dated nearly a month ago, trumpeting in shouty capitals that HUDSON’S BAY ANNOUNCES BRIAN GLUCKSTEIN AS NEW HOME DESIGN AMBASSADOR.

Saks Fifth Avenue, to its credit, has a link at the top of its main page entitled Important Message for Our Customers Regarding Payment Card Security Issue, but there’s still not a lot to go on there.

The company insists, three times, in fact, that:

We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores.

The affected locations where data was harvested aren’t mentioned explicitly, with a blanket statement saying simply that “certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America” were affected – suggesting that the breach affected multiple countries, as well as multiple stores.

What to do?

Saks Fifth Avenue insists – as in the infamous Target breach back in 2013 – that the breach involved in-store payments only, with no compromise of its online e-commerce network, suggesting that some sort of data-logging or RAM-scraping malware on cash registers might have been involved.

Chip and PIN helps to sidestep this sort of attack because your card data is never shoved into memory on the retailer’s network – at least some of the cryptographic processing required to authorise the transaction is done internally on the card itself.

We therefore recommend:

  • Avoid shopping at stores where the merchant insists on you swiping your card when you want to do a chip payment instead.
  • Watch your card statements carefully, so you can dispute unexpected transactions promptly.
  • Consider requesting a new card from your financial institution if you have shopped at any of the above mentioned outlets in the past year.