Updated Luxury store chain Saks Fifth Avenue has confirmed it was the victim of a massive cyber-attack that could compromise millions of shoppers.
The Fin7 hacking group bragged it compromised Saks' computer systems, and lifted about five million payment cards from those who made purchase at the upscale clothing store's brick-and-mortar locations.
The claims were confirmed over the weekend by the shopping giant, which said it appears the data was pulled from not only Saks Fifth Avenue stores, but also Saks OFF 5th and Lord and Taylor stores via infected sales terminals.
Security firm Gemini Advisory revealed the security breach, saying that while only 125,000 stolen cards have been released so far, the hackers are advertising a total of five million payment card numbers lifted from stores mostly in New York and New Jersey, in the USA, though they believe much of the retail network for all three store chains was infected.
US is Number One! In sales register hacking attacks, at leastREAD MORE
"Although at this moment it is close to impossible to ascertain the exact window of compromise, the preliminary analysis suggests that criminals were siphoning the information between May 2017 to present," Gemini Advisory said.
"Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised."
Saks said that only its brick-and-mortar stores were ransacked by the hackers – online shoppers were not affected. While the attackers were able to harvest payment card details, such as card numbers and expiration dates, other personally identifiable information was not taken.
"Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring," Saks said in its notification to customers.
"We encourage our customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize."
The attack is the latest to use malware-infected cash registers to collect and siphon off card numbers as they are read from the cards, and before they can be encrypted.
Gemini noted that, because Saks tends to attract higher-income customers, the pilfered bank cards could be particularly valuable to fraudsters.
"While diners at the affordable fast-food chain are less likely to purchase hi-end electronics like Apple computers and Microsoft Surface Books, which are coveted by cybercriminals for their high liquidity, it is also easier for banks to identify unusual shopping patterns and promptly block out-of-pattern transactions," the security consultancy said.
"However, cardholders who frequently shop at luxury retail chains like Saks Fifth Avenue are more likely to purchase high-ticket items regularly; therefore, it will be extremely difficult to distinguish fraudulent transactions from those of a legitimate nature, allowing criminals to abuse stolen payment cards and remain undetected for a longer period of time." ®
Updated to add
Juniper Networks has just told El Reg that the breach may be larger than first reported: one million additional stolen card numbers have been found, this time from stores in the EU and Asia. This would bring the total number of victims up to around six million.
We've asked Saks' parent Hudson's Bay Company for confirmation.
Sponsored: Webcast: Ransomware has gone nuclear