Hacks Fifth Avenue: Crooks slurp bank cards from luxury chain Saks

Bougie buyers bitten by baddies' bank-blasting bug

Updated Luxury store chain Saks Fifth Avenue has confirmed it was the victim of a massive cyber-attack that could compromise millions of shoppers.

The Fin7 hacking group bragged it compromised Saks' computer systems, and lifted about five million payment cards from those who made purchase at the upscale clothing store's brick-and-mortar locations.

The claims were confirmed over the weekend by the shopping giant, which said it appears the data was pulled from not only Saks Fifth Avenue stores, but also Saks OFF 5th and Lord and Taylor stores via infected sales terminals.

Security firm Gemini Advisory revealed the security breach, saying that while only 125,000 stolen cards have been released so far, the hackers are advertising a total of five million payment card numbers lifted from stores mostly in New York and New Jersey, in the USA, though they believe much of the retail network for all three store chains was infected.


US is Number One! In sales register hacking attacks, at least


"Although at this moment it is close to impossible to ascertain the exact window of compromise, the preliminary analysis suggests that criminals were siphoning the information between May 2017 to present," Gemini Advisory said.

"Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised."

Saks said that only its brick-and-mortar stores were ransacked by the hackers – online shoppers were not affected. While the attackers were able to harvest payment card details, such as card numbers and expiration dates, other personally identifiable information was not taken.

"Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring," Saks said in its notification to customers.

"We encourage our customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize."

The attack is the latest to use malware-infected cash registers to collect and siphon off card numbers as they are read from the cards, and before they can be encrypted.

Gemini noted that, because Saks tends to attract higher-income customers, the pilfered bank cards could be particularly valuable to fraudsters.

"While diners at the affordable fast-food chain are less likely to purchase hi-end electronics like Apple computers and Microsoft Surface Books, which are coveted by cybercriminals for their high liquidity, it is also easier for banks to identify unusual shopping patterns and promptly block out-of-pattern transactions," the security consultancy said.

"However, cardholders who frequently shop at luxury retail chains like Saks Fifth Avenue are more likely to purchase high-ticket items regularly; therefore, it will be extremely difficult to distinguish fraudulent transactions from those of a legitimate nature, allowing criminals to abuse stolen payment cards and remain undetected for a longer period of time." ®

Updated to add

Juniper Networks has just told El Reg that the breach may be larger than first reported: one million additional stolen card numbers have been found, this time from stores in the EU and Asia. This would bring the total number of victims up to around six million.

We've asked Saks' parent Hudson's Bay Company for confirmation.

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022