Reports in The New York Times on Sunday (April 1) said experts believe a notorious ring of cybercriminals implanted software into the retailers’ register systems, allowing them to access card data for a year.
As Saks and Lord & Taylor owner The Hudson’s Bay Company works to contain and investigate the breach, analysts told the publication that it’s likely an email phishing scam allowed cybercriminals to infiltrate the retailers’ systems.
Gemini Advisory, which first identified the Saks data breach, said Hudson’s Bay employees were probably targeted by an email phishing scam, in which an employee receives an email with a malicious link that installs software in a company’s system, allowing attackers to gain access to sensitive data.
Separate reports by the Associated Press also pointed to an email phishing scam as the likely culprit. Gemini Co-Founder and Chief Technology Officer Dmitry Chorine told the publication that the phishing tactic was most likely the strategy used by cybercriminals that enabled them “to sit on the network of Lord & Taylor and Saks and steal data” for a year.
Hudson’s Bay disclosed the breach on Sunday and said an estimated 5 million cards were compromised. The Canadian company noted it has commenced an investigation.
“Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring,” the company said in a statement, though Reuters reports said the firm declined to confirm whether its network was secure or still compromised.
Card details first surfaced on JokerStash, an online hacking group, with the site announcing plans to release the information on 5 million credit and debit cards. Gemini Advisory first brought attention to the planned sale, with JokerStash immediately releasing about 250,000 records to buyers.
Phishing scams are on the rise, according to The Anti-Phishing Working Group, which published a report last year that found phishing attacks hit record levels in 2016.