Bank Card Data of Five Million Stolen in Saks and Lord & Taylor Data Breach

PoS SaksA hacking syndicate known as JokerStash (also identified as Fin7 and Carbanak) announced the sale of five million stolen payment cards on the dark web last March 28. A security firm investigating this sale reports that the victims were most likely from customers of high-end retailers Saks Fifth Avenue and Lord & Taylor. This was confirmed on April 1 through an announcement from Saks and their parent company, the Hudson’s Bay Company after they became aware of a “data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America.” This is the latest in a string of high-profile breaches from Fin7, whose previous victims include Trump Hotels, Whole Foods, and Chipotle.

The current batch of compromised records is named BIGBADABOOM-2. According to the security firm, majority of the stolen records came from compromised New York and New Jersey locations, and the period of collection may have started in May 2017. So far, only a small percentage of the records have been released for sale — a common tactic for large caches of compromised records. The group will likely sell the records in small batches to avoid flooding the market. Hudson’s Bay have reportedly taken steps to contain the breach and are offering free identity protection, credit and web monitoring services to anyone impacted.

Some news outlets are reporting that this is a point-of-sales (PoS) breach, stating that “the data appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month.”

Past PoS incidents linked to data breaches

Other incidents involving PoS malware this year show how this old threat is still a clear danger for retailers, restaurants, hotels and other brick-and-mortar vendors. In January, Forever 21 disclosed how PoS malware was linked to its data breach, while Applebee’s also uncovered PoS malware on its systems in early March.

Many of the past PoS malware we’ve seen — AbaddonPOS, RawPOS, and MajikPOS — were used in tandem with other threats, such as backdoors and keyloggers. Using such multi-pronged attacks is more advantageous for attackers because it nets them different types of data to sell.

Because this threat has proven to be so effective in the past, businesses have to be ahead of the curve and install more stringent defenses to protect their customers’ data. Regulatory bodies are already enforcing new standards for enterprises to prevent data breaches such as these, and to ensure that their citizens’ personal information is protected. The EU’s General Data Protection Regulation (GDPR) will be implemented on May 25 2018, and has stiff fines for entities that do not have proper data security in place.

Solutions and mitigation tactics

Customers of the affected stores can take advantage of the free identity protection, as well as credit and web monitoring services that the company has offered.

For businesses who want to avoid incidents such as this, here are some countermeasures that can mitigate this threat:

  • Ensuring that all stores comply with the latest Payment Card Industry Data Security Standard (PCI-DSS)
  • Implementing properly configured chip-and-PIN cards with end-to-end encryption (EMVs) that are more secure than magnetic stripe-based cards
  • Properly securing other points of entry, such as remote desktops and endpoints
  • Deploying application control/whitelisting and behavior monitoring, which detect and block unknown files and prevent anomalous modifications or routines from running
  • Proactively monitoring the network for any red flags, such as suspicious data exfiltration

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.