Saks Fifth Avenue and Lord & Taylor have both suffered a data breach involving customers' debit and credit card information. The data breach became apparent on 28 March when Joker's Stash, a seller of stolen payment card details on underground markets, announced its "BIGBADABOOM-2" sale of five million cards. Working with financial organizations, Gemini Advisory "confirmed with a high degree of confidence" that the sale included cards stolen from Saks Fifth Avenue and Lord & Taylor.
Advertisement of the BIGBADABOOM-2 Breach by JokerStash. (Source: Gemini Advisory) The security firm's analysis suggests the security incident affected all Lord & Taylor stores and 83 locations of Saks Fifth Avenue based in the United States from at least May 2017.
Geographical Distribution of Compromised Payment Cards combined for Saks Fifth Ave and Lord & Taylor. (Source: Gemini Advisory) As of this writing, Joker's Stash has released the details of 125,000 cards stolen from the two luxury department stores. Gemini Advisory anticipates the seller will gradually release the remaining information over the next few months. Hudson's Bay Company (HBC), a Canadian retail business group which owns both Saks Fifth Avenue and Lord & Taylor among other holdings, confirmed the data breach on 1 April in a statement:
The Company deeply regrets any inconvenience or concern this may cause. HBC wanted to reach out to customers quickly to assure them that they will not be liable for fraudulent charges that may result from this matter. HBC has identified the issue, and has taken steps to contain it. Once the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring. HBC encourages customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize.
HBC went on to reveal its plans to create a dedicated call center where concerned customers can learn more information about the incident. In the meantime, it said it will continue working with data security investigators, law enforcement and payment card companies to learn more about the incident and prevent similar breaches from occurring in the future. News of this breach comes just over a year after luxury retailer Saks Fifth Avenue inadvertently exposed the personal details of tens of thousands of customers online.
