Hackers take 5 million payment cards from Saks, Lord & Taylor stores

The thefts might be ongoing.

The wave of large-scale retail data breaches isn't about to subside any time soon. Gemini Advisory has discovered that a JokerStash online crime syndicate, Fin7, is planning to sell over 5 million payment cards stolen from the databases of 83 Saks Fifth Avenue stores (including Off 5th) and the entire network of Lord & Taylor. The crooks are 'only' selling 125,000 of the cards on the Dark Web as of this writing, but the rest are expected to reach the black market in the months ahead. The breaches reportedly started in May 2017, but could be continuing to this day.

Most of the affected stores are in New York state and New Jersey, although three Canadian stores (in Toronto, Brampton and Pickering) might have also been hit.

The parent of both retail brands, Canada's Hudson's Bay Company, confirmed the breaches and said it had "taken steps to contain" the hacks. Customers would get free credit monitoring and other identity protection services once there was "more clarity around the facts," HBC said. It's not clear what those security measures entail, however, and it's not certain that the hacks have come to an end. A spokesperson talking to Reuters declined to elaborate.

JokerStash, however, is well-known. The hacker outfit has been connected to a string of data breaches including Chipotle, Omni Hotels and Whole Foods. It has a pattern of dribbling out cards to both maximize their sale potential and to avoid tipping off bank investigators trying to pinpoint the source of a given breach.

News of the hacking comes at a particularly bad time. In March 2017, BuzzFeed News learned that Saks had been storing customer data (though not payment info) in plain text on its servers -- it's bound to be embarrassing for the retailer to suffer a more serious breach just over a year later, even though the two incidents aren't likely connected. HBC may need to bend over backwards to regain the trust of Saks shoppers who've been burned twice.