The brand's Canadian parent, Hudson's Bay Company, has since taken the info down while it works on a solution, and says that only "some email addresses" were affected. HBC maintains that it follows "industry best practices" for security, but that isn't really the case when anyone snooping around its web code could have found the info. BuzzFeed adds that the sites have an inconsistent approach to web encryption, protecting certain pages (such as the login page) but not others. Someone on the same local network could grab unencrypted web traffic and potentially use it to compromise an account.
While there's currently no evidence to suggest that someone made off with the data before it was taken down, the discovery isn't very reassuring. It suggests that online shops are still making basic security mistakes, and don't always realize that even limited data exposure can be very dangerous. It only takes a nosy intruder to turn a blunder like this into a serious incident.
Update: BuzzFeed has since learned that only Saks was affected, not associated brands like Gilt and Lord & Taylor -- we've updated the article accordingly.