Customer Payment Card Data Breach At Certain Saks Fifth Avenue, Saks OFF 5TH, And Lord & Taylor Stores In North America

Hudson’s Bay Company issued an announcement on April 1, 2018 that the company “. . .  has become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. While the investigation is ongoing, there is no indication at this time that this affects the Company’s e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe.”

Hacking Group Offers More than 5 Million Stolen Credit and Debit Cards for Sale

According to The Washington Post, “[a] data breach at department store chains Saks Fifth Avenue, Saks [OFF] Fifth and Lord & Taylor has compromised the personal information of customers who shopped at the stores.”  The Washington Post also reported that “New York-based security firm Gemini Advisory LLC says that a hacking group called JokerStash announced last week that it had put up for sale more than 5 million stolen credit and debit cards, and that the compromised records came from Saks and Lord & Taylor customers.”

Customers Not Liable for Fraudulent Charges

Hudson’s Bay Company’s Security Information Notice stated that its customers will not be liable for fraudulent charges which may result from the security incident.  Hudson’s Bay Company also stated that their investigation has not revealed that Social Security or driver’s license numbers were compromised by the security issue.  Additional customer information can be located by accessing Saks Fifth Ave Security Information NoticeSaks OFF Fifth Security Information Notice or
Lord & Taylor Security Information Notice.

Past Exposure of the Personal Information of Thousands of Saks Fifth Avenue Customers

In March 2017, BuzzFeed reported:

The personal information of tens of thousands of customers of Saks Fifth Avenue has been publicly available in plain text online, BuzzFeed News has learned.

The online shopping site for the brand is maintained by the digital division of its owner, the Canada-based Hudson’s Bay Company. Until recently, unencrypted, publicly accessible web pages on the site contained tens of thousands of records for customers who signed up for wait lists to buy products.

The records included email addresses and product codes for the items customers expressed interest in buying; some also contained phone numbers. Each record also included a date and time, and one of a handful of recurring IP addresses.

The pages, which were reviewed by BuzzFeed News in recent days, were taken offline after [Hudson’s Bay Company] was contacted for comment [about BuzzFeed’s] story. The Saks website also serves logged in customers some pages over unencrypted connections, leaving online shoppers’ information vulnerable to hackers while they browse the site on an open Wifi network.

Kehoe Law Firm, P.C.