Saks Fifth Avenue in Manhattan

The compromise of data from over five million Saks Fifth Avenue and Lord & Taylor customers has raised concerns about the company's information security capabilities and the fate of consumer data. It also reaffirms considerations for securing card readers amid increasing cybersecurity threats.

Announcing the compromise on April 1, cybersecurity researchers Gemini Advisory described the attack as “amongst the biggest and most damaging to hit retail companies” and estimated that the records were first compromised in May 2017. The group noted customer data was taken from 83 Saks locations, along with “the entire network of Lord & Taylor.” Most of the stolen card info was taken from locations in New Jersey and New York, with 125,000 records being sold on the dark web.

“It's a lot of credit card numbers, and that's a long time to go without knowing it's happening,” Everett Monroe, an attorney who specializes on data privacy at Hanson Bridgett, told LTN. However, he noted that the type of attack that hit Saks—point of sale (PoS), which spawns from malware installed in cash register transaction systems—is “one of the hardest data exfiltrations to even detect.”

Part of the difficulty in detecting PoS attacks is that each consumer transaction is accounted for on an individual basis, meaning that it might not be obvious to someone or a system monitoring that data is being stolen.

“If you're looking at a whole bunch of small individual data transfers, it's not like someone on the IT side is going to detect that there's necessarily a problem,” Monroe said. “It's also just in general harder to secure those sorts of things, because those transactions are happening on a face-to-face level, using physical machines at hundreds of different locations.”

Saks and Lord & Taylor parent company Hudson's Bay noted in a statement that it believes the hack “no longer poses a risk to customers” shopping at its stores or on “e-commerce or other digital platforms.” In terms of addressing security concerns, the company didn't divulge specifics, but noted that it “identified the issue, took steps to contain it, and [believes] it no longer poses a risk to customers shopping at our stores.”

While Hudson's Bay outlined the issue and results, however, Monroe said that the statement struck him as “a little bit incomplete.”

“When we're talking about this size of numbers, there doesn't seem to be a way to find out if any particular individual has been affected. And so from the consumer point of view, they don't know if they need to protect themselves,” he added.

Yet others believe it's too early to gauge the risk posed. “Generally, until you know the root cause … it's hard to know what the scope of the hack is and whether there's a further risk of compromise,” Stephen Lilley, partner at Mayer Brown, told LTN.

“Unfortunately, companies can be compromised and not know about it for months. This happens all the time, it happens with government agencies. Unfortunately, the more sophisticated the actor is, the harder they are to detect,” Lilley noted.  “It doesn't necessarily reflect back on the company. It may reflect more about the sophistication of the attack.”

Indeed, the hackers behind the attack, Fin7 aka JokerStash, are regarded as a professional syndicate. Dimitry Chorine, Gemini Advisory CTO and co-founder, told Wired that the group makes “at least $50 million every month” from stolen information, and probably has “at least a billion dollars on hand.”

“They definitely have a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers,” he added.

Lilley, who helped in developing cybersecurity recommendations for the Trump Administration, explained that Fin7 has a reputation among the black market for having a high rate of valid credit cards.

“For very sophisticated actors and sophisticated marketplaces that can effectively promise a high rate of validity to the cards, those remain very valuable,” he added.

In terms of reducing the risk of a PoS breach, some cyber experts note that EMV credit cards—the ones with chips as addition to or in place of a stripe—could help due to greater data encryption capabilities, though this comes at a considerable cost. But even then, hackers could circumvent security with what's known as “memory-scraping malware,” which can follow a piece of data through its life cycle until finding a point when it isn't encrypted, explained Ed Cabrera, CEO at enterprise cybersecurity company Trend Micro.

Cabrera noted it's difficult to ascertain much about the attack with the information available, though he said that a number of mergers and acquisitions over the years involving parent company Hudson Bay could have impacted the security apparatus, with continual realignment of potentially disparate IT and security systems.

“It's basic to any risk that the more complexity you have in a system, in a network, the greater risk you face,” he added.