Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy

Card Data Stolen From 5 Million Saks and Lord & Taylor Customers (nytimes.com) 46

Hudson's Bay said on Sunday that data from card payments in some of its Saks and Lord & Taylor stores in North America had been compromised. From a report: A well-known ring of cybercriminals has obtained more than five million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity research firm that specializes in tracking stolen financial data. The data, the firm said, appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month. The Hudson's Bay Company, the Canadian corporation that owns both retail chains, confirmed on Sunday that a breach had occurred.

"We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America," the company said in a statement. "We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."

This discussion has been archived. No new comments can be posted.

Card Data Stolen From 5 Million Saks and Lord & Taylor Customers

Comments Filter:
  • by PeterGM ( 5304449 ) on Sunday April 01, 2018 @03:00PM (#56363739)
    ... needs to get Saked.
    • YEEEEEEEEEEEAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!

      "Filter error: Don't use so many caps. It's like YELLING.".... cool, I'll let Roger Daltrey know that the next time I see him.
  • by Ol Olsoc ( 1175323 ) on Sunday April 01, 2018 @03:22PM (#56363789)
    The CEO of these companies are going to have to face some prison time. Otherwise these companies simply do't give a STD fuck about giving your credit card information away. Why would they. Even if fined, it's just a itty bitty CODB issue.

    Send one of them to a max security prison toe get a little butt boning time, and we'll see the problem fixed in no time.

    The crudeness of this post was quite intentional.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Currently, anyone who handles credit cards is supposed to follow PCI-DSS rules, including yearly audits for PCI compliance. Unfortunately, the entire system is a sham.

      The companies doing the audits have a financial interest in making sure everyone passes their audit, otherwise they risk losing business.

      There is no penalty for shitty security, due to the fact that nobody ever fails a PCI audit.

      Until PCI rules are actual law, audited by a non-profit agency with the authority to shut down anyone not in compli

    • Re: (Score:2, Insightful)

      The CEO of these companies are going to have to face some prison time.

      No, that is not the solution. America already imprisons far more people than any other country, four times more than China, Russia, or Iran. If we are going to start imprisoning people for incompetence, we will need to vastly expand our already bloated prison system and raise taxes to pay for that.

      I understand that it feels good to say "lock em up" every time we have a social problem, but if you think that is actually "the" solution, then you need to grow up.

      Here is the solution: Get rid of the idiotic C

      • The CEO of these companies are going to have to face some prison time.

        No, that is not the solution. America already imprisons far more people than any other country, four times more than China, Russia, or Iran.

        No crime, no punishment, no solution, the situation continues just the same as it has occured for years. Perhaps a stern talking to is in order, and a promise to go to their room and think about what their company has done to millions, and back to work waiting until the next breach.

        • No crime, no punishment, no solution

          If that were actually true, America would have by far the world's lowest crime rates. It doesn't. In the developed world, it has one of the highest crime rates. You should read up on "evidence based reasoning".

          the situation continues just the same as it has occured for years.

          Then it should be obvious that we need to FIX THE PROBLEMS rather than just pounding harder on the defects.

          Our current CC system is DESIGNED to be insecure, because Visa and MasterCard have no incentive to fix it, and actually benefit from additional fees for chargebacks. Blaming the merchants (wh

          • No crime, no punishment, no solution

            If that were actually true, America would have by far the world's lowest crime rates. It doesn't. In the developed world, it has one of the highest crime rates. You should read up on "evidence based reasoning".

            You are conflating some of the silly and stupid things we have put people ln jail for, and making a broad generalization that since at one time, simple marijuana possession could get you 30 years or so is now the same thing as this.

            In addition, you have made a rather interesting leap to assuming a lot of things about me.

            n addition, you've presented a mighty fine non-sequitur which is that since 'Murrica jails a lot of people that no more should be jailed because we jail a lot of people.

            Our current CC system is DESIGNED to be insecure, because Visa and MasterCard have no incentive to fix it, and actually benefit from additional fees for chargebacks. Blaming the merchants (who bear much of the cost of fraud) and/or end users (who also bear part of the cost) is silly.

            You are correc

  • Why are credit card numbers even available on an internet facing DB? They are not required for individual transaction tracking as a separate id is generated for that. If a CC is presented at a store, it need only send the number to a server that returns only yea or nay, not any numbers. A similar means can apply for "1 click" and the like - the logon password sufficing.

    There will still be some vulnerabilities, but unlikely to be wholesale breach of millions of CC numbers at a time.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Why are credit card numbers even available on an internet facing DB?

      Because convenience is more important than security. If you return an item to a store they can just scan your receipt and issue a credit to your card.

      • Your (complete) credit card number isn't on the receipt - just a transaction number which is used to reverse the transaction. No CC number need be exposed.

        • No CC number need be exposed.

          They need the CC# to do the refund. The customer might not have it with them, or might not remember which card they used. So the clerk needs to be able to retrieve the number.

          Of course this is stupid, and other countries do it differently. For instance, in China, the transaction ID itself can be used for the refund, without any need for the CC#. In fact, the CC# is not even needed for the original purchase. You just need the cell phone linked to the account, along with a 6 digit PIN, and either your fa

    • by plover ( 150551 )

      Reread the summary above. The card numbers weren't on an "internet facing database." They were taken by malware implanted in their cash registers.

  • by RandomFactor ( 22447 ) on Sunday April 01, 2018 @03:27PM (#56363799)

    "will offer those impacted free identity protection services, including credit and web monitoring."

    Translation - bit of an expense for a year to pay for this, then we are off the hook.

    Yet the individual remains at risk for the rest of their life.

    At a bare minimum when they lose your data, credit monitoring should be for life. Also full replacement cost for compromised credit cards should be included.

    Then we move into other information often lost due to this kind of negligence that need replacement mechanisms also - SSN, DL#...

    • Then we move into other information often lost due to this kind of negligence that need replacement mechanisms also - SSN, DL#...

      There is no need to replace SSNs and DL#s. We just need to ban their use in authentication. Knowing an SSN should not be used to authenticate identity. It should just be an index number.

      When my bank needs to authenticate my identity, they text a code to the cellphone linked to the account. That is not perfect, but it is WAY more secure than asking me for the last four digits of my SSN.

  • In 2018, why are credit card numbers still a thing? A "secret" number printed on the front of your card, typically in raised, bold characters. And we wonder why these are stolen? Hand your card to a minimum wage worker who takes it away from you temporarily -- and we accept this?! The only reason why this irresponsible negligence is still perpetrated is because neither the banks nor the processors lose from these thefts. They MAKE money on chargebacks. Virtually all the cost is borne by the merchants. Even

  • by PopeRatzo ( 965947 ) on Sunday April 01, 2018 @09:58PM (#56364841) Journal

    Who the hell shops at Saks Fifth Avenue or Lord & Taylor, anyway? If someone is willing to pay $650 for a shitty blue track suit that looks like one you could pick up for $3 at a local Goodwill store, then whoever hacked the database could probably make better use of their money.

    You don't believe me, you say? Nobody would pay $650 for what looks like a bad K-Mart track suit, you say?

    https://www.saksfifthavenue.co... [saksfifthavenue.com]

  • by najajomo ( 4890785 ) on Monday April 02, 2018 @10:47AM (#56366927)
    'Gemini Advisory alleges the thief this time is known as JokerStash or Fin7. The hackers sent phishing emails to company employees.

    If the recipient clicked on the attachment, which is meant to appear as an invoice, the hackers infected the system, according to the Associated Press.' link [nypost.com]
  • This is why I use my phone to pay, wherever it's accepted.

  • I used to sometimes enter the mall on my way to the food court via the "Off 5th" store. (Sak's discount bargain bin.)

    I never paid much attention to the store, but I saw a light jacket of the style I'd worn for years, and needed to get another one of. The "Sears" type places had quit carrying that type of jacket.

    Holy deleted expletives, six hundred dollars!! That's insane!! I can't do business with crazy people!!

    (It was marked down from $800.)

    After that, I found a different place to park where I didn't h

Genius is ten percent inspiration and fifty percent capital gains.

Working...