Card Data Stolen From 5 Million Saks and Lord & Taylor Customers (nytimes.com) 46
Hudson's Bay said on Sunday that data from card payments in some of its Saks and Lord & Taylor stores in North America had been compromised. From a report: A well-known ring of cybercriminals has obtained more than five million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity research firm that specializes in tracking stolen financial data. The data, the firm said, appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month. The Hudson's Bay Company, the Canadian corporation that owns both retail chains, confirmed on Sunday that a breach had occurred.
"We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America," the company said in a statement. "We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."
"We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America," the company said in a statement. "We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."
Looks like someone... (Score:4, Funny)
Re: (Score:2)
"Filter error: Don't use so many caps. It's like YELLING.".... cool, I'll let Roger Daltrey know that the next time I see him.
The solution (Score:3)
Send one of them to a max security prison toe get a little butt boning time, and we'll see the problem fixed in no time.
The crudeness of this post was quite intentional.
Re: (Score:3, Interesting)
Currently, anyone who handles credit cards is supposed to follow PCI-DSS rules, including yearly audits for PCI compliance. Unfortunately, the entire system is a sham.
The companies doing the audits have a financial interest in making sure everyone passes their audit, otherwise they risk losing business.
There is no penalty for shitty security, due to the fact that nobody ever fails a PCI audit.
Until PCI rules are actual law, audited by a non-profit agency with the authority to shut down anyone not in compli
Re: (Score:2, Insightful)
The CEO of these companies are going to have to face some prison time.
No, that is not the solution. America already imprisons far more people than any other country, four times more than China, Russia, or Iran. If we are going to start imprisoning people for incompetence, we will need to vastly expand our already bloated prison system and raise taxes to pay for that.
I understand that it feels good to say "lock em up" every time we have a social problem, but if you think that is actually "the" solution, then you need to grow up.
Here is the solution: Get rid of the idiotic C
Re: (Score:3)
The CEO of these companies are going to have to face some prison time.
No, that is not the solution. America already imprisons far more people than any other country, four times more than China, Russia, or Iran.
No crime, no punishment, no solution, the situation continues just the same as it has occured for years. Perhaps a stern talking to is in order, and a promise to go to their room and think about what their company has done to millions, and back to work waiting until the next breach.
Re: (Score:2)
No crime, no punishment, no solution
If that were actually true, America would have by far the world's lowest crime rates. It doesn't. In the developed world, it has one of the highest crime rates. You should read up on "evidence based reasoning".
the situation continues just the same as it has occured for years.
Then it should be obvious that we need to FIX THE PROBLEMS rather than just pounding harder on the defects.
Our current CC system is DESIGNED to be insecure, because Visa and MasterCard have no incentive to fix it, and actually benefit from additional fees for chargebacks. Blaming the merchants (wh
Re: (Score:3)
No crime, no punishment, no solution
If that were actually true, America would have by far the world's lowest crime rates. It doesn't. In the developed world, it has one of the highest crime rates. You should read up on "evidence based reasoning".
You are conflating some of the silly and stupid things we have put people ln jail for, and making a broad generalization that since at one time, simple marijuana possession could get you 30 years or so is now the same thing as this.
In addition, you have made a rather interesting leap to assuming a lot of things about me.
n addition, you've presented a mighty fine non-sequitur which is that since 'Murrica jails a lot of people that no more should be jailed because we jail a lot of people.
Our current CC system is DESIGNED to be insecure, because Visa and MasterCard have no incentive to fix it, and actually benefit from additional fees for chargebacks. Blaming the merchants (who bear much of the cost of fraud) and/or end users (who also bear part of the cost) is silly.
You are correc
Re: (Score:2)
The solution is to do what other countries do. These are proven, working solutions. These data breaches, and CC fraud in general, are "American problems", because most other countries don't allow me to spend your money simply by providing semi-public information.
Why are CC Numbers Exposed? (Score:2)
Why are credit card numbers even available on an internet facing DB? They are not required for individual transaction tracking as a separate id is generated for that. If a CC is presented at a store, it need only send the number to a server that returns only yea or nay, not any numbers. A similar means can apply for "1 click" and the like - the logon password sufficing.
There will still be some vulnerabilities, but unlikely to be wholesale breach of millions of CC numbers at a time.
Re: (Score:2, Insightful)
Why are credit card numbers even available on an internet facing DB?
Because convenience is more important than security. If you return an item to a store they can just scan your receipt and issue a credit to your card.
Re: (Score:2)
Your (complete) credit card number isn't on the receipt - just a transaction number which is used to reverse the transaction. No CC number need be exposed.
Re: (Score:2)
No CC number need be exposed.
They need the CC# to do the refund. The customer might not have it with them, or might not remember which card they used. So the clerk needs to be able to retrieve the number.
Of course this is stupid, and other countries do it differently. For instance, in China, the transaction ID itself can be used for the refund, without any need for the CC#. In fact, the CC# is not even needed for the original purchase. You just need the cell phone linked to the account, along with a 6 digit PIN, and either your fa
Re: (Score:2)
Reread the summary above. The card numbers weren't on an "internet facing database." They were taken by malware implanted in their cash registers.
So typical (Score:3)
"will offer those impacted free identity protection services, including credit and web monitoring."
Translation - bit of an expense for a year to pay for this, then we are off the hook.
Yet the individual remains at risk for the rest of their life.
At a bare minimum when they lose your data, credit monitoring should be for life. Also full replacement cost for compromised credit cards should be included.
Then we move into other information often lost due to this kind of negligence that need replacement mechanisms also - SSN, DL#...
Re: (Score:2)
Then we move into other information often lost due to this kind of negligence that need replacement mechanisms also - SSN, DL#...
There is no need to replace SSNs and DL#s. We just need to ban their use in authentication. Knowing an SSN should not be used to authenticate identity. It should just be an index number.
When my bank needs to authenticate my identity, they text a code to the cellphone linked to the account. That is not perfect, but it is WAY more secure than asking me for the last four digits of my SSN.
Re:When are we going to run out (Score:4, Funny)
I heard that they'll be moving to the CCv6 standard when the number space starts to get low. Should provide enough credit card numbers for every molecule in the solar system.
There's also a private credit card capability defined in RFCC 1918 (*) that is being used to mitigate the issue in many cases.
(*) "Request for Credit Card"
Re: (Score:2)
How many pristine, never used card numbers are actually left and when we will start reusing old numbers?
CC#s are 16 digits, so there are 10 quadrillion combinations. That is roughly 1.4 million numbers per person.
Only one of 10 of those numbers has a valid checksum, and there are some other restrictions (Visa always starts with "4", MC with "5", etc.), but there is no way we are ever going to run out of numbers.
Re: (Score:1)
I was a full-time developer with them for a time. I and most of my coworkers left voluntarily or otherwise when they brought in Tata Consultancy Services and nuked the St Louis, MO and Jackson, MS offices. All of their security is atrocious and they do bid bottom dollar to incompetent contractors. Anybody who worked there saw this coming and I'm glad I left before this hit the band saw.
Probably never happen ... (Score:2)
... again.
Why is the card number printed on the card? (Score:1)
In 2018, why are credit card numbers still a thing? A "secret" number printed on the front of your card, typically in raised, bold characters. And we wonder why these are stolen? Hand your card to a minimum wage worker who takes it away from you temporarily -- and we accept this?! The only reason why this irresponsible negligence is still perpetrated is because neither the banks nor the processors lose from these thefts. They MAKE money on chargebacks. Virtually all the cost is borne by the merchants. Even
I'm trying to care (Score:3)
Who the hell shops at Saks Fifth Avenue or Lord & Taylor, anyway? If someone is willing to pay $650 for a shitty blue track suit that looks like one you could pick up for $3 at a local Goodwill store, then whoever hacked the database could probably make better use of their money.
You don't believe me, you say? Nobody would pay $650 for what looks like a bad K-Mart track suit, you say?
https://www.saksfifthavenue.co... [saksfifthavenue.com]
Microsoft Windows strikes again (Score:3)
If the recipient clicked on the attachment, which is meant to appear as an invoice, the hackers infected the system, according to the Associated Press.' link [nypost.com]
Apple Pay? (Score:1)
This is why I use my phone to pay, wherever it's accepted.
Good thing I don't shop there. (Score:2)
I used to sometimes enter the mall on my way to the food court via the "Off 5th" store. (Sak's discount bargain bin.)
I never paid much attention to the store, but I saw a light jacket of the style I'd worn for years, and needed to get another one of. The "Sears" type places had quit carrying that type of jacket.
Holy deleted expletives, six hundred dollars!! That's insane!! I can't do business with crazy people!!
(It was marked down from $800.)
After that, I found a different place to park where I didn't h