NEW YORK — Retail group Hudson’s Bay on Sunday disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks Fifth Avenue and Lord & Taylor stores in North America.
One cybersecurity firm said it has evidence that millions of cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year, but the firm added that it was too soon to confirm whether that was the case.
The Toronto-based retailer said in a statement that it had “taken steps to contain” the breach but did not say it had succeeded in confirming that its network was secure. Hudson’s Bay also did not say when the breach began or how many payment card numbers were taken.
“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the statement said.
A company spokeswoman declined to elaborate.
The breach comes as Hudson’s Bay struggles to improve its financial performance as a tough retail environment has weighed on sales and margins. In June, it launched a transformation plan to cut costs and is working to monetize the value of its substantial real estate holdings.
Hudson’s Bay disclosed the incident after Gemini Advisory, a New York-based cybersecurity firm, reported on its blog that Saks and Lord & Taylor had been hacked by a well-known criminal group known as JokerStash.
JokerStash, which sells stolen data on the criminal underground, on Wednesday said that it planned to release more than 5 million stolen credit cards, Gemini chief technology officer Dmitry Chorine said.
The hacking group has so far released about 125,000 payment cards, about 75 percent of which appear to have been taken from the Hudson’s Bay units, Chorine told Reuters by telephone.
The bulk of the 5 million card numbers that JokerStash said it plans to release are probably from Saks and Lord & Taylor, but it is too early to say for sure, Chorine said.
“It’s hard to assess at the moment, primarily because hackers have not released the entire cards in one batch,” he told Reuters.
Alex Holden, chief information security officer with cybersecurity firm Hold Security, confirmed that the 125,000 cards had been released by JokerStash but said it was too soon to estimate how many had been taken from Hudson’s Bay.
The theft of millions of records would make the breach one of the largest involving payment cards in the past year, but it would still be far smaller than any of the biggest thefts on record, which occurred a decade ago.
From 2006 to 2008, hackers stole more than 130 million credit cards from credit card processor Heartland Payment Systems, convenience store operator 7-Eleven and grocer Hannaford Brothers, federal investigators said.
Cybercriminals stole about 40 million payment cards from Target in 2013 and 56 million from Home Depot in 2014.
Hudson’s Bay said there is no indication its recent breach involved online sales at Saks and Lord & Taylor outlets, or its Hudson’s Bay, Home Outfitters or HBC Europe units.
The company said customers will not be liable for fraudulent charges resulting from the breach.