Luxury department store behemoth Saks Fifth Avenue and sister stores Saks OFF 5TH and Lord & Taylor have become the latest retail victim of a data breach. The incident impacts 5 million payment cards that were used at stores in North America, from May 2017 to March 2018.
Research firm Gemini Advisory uncovered a posting on the dark eb by a group of Russian-speaking hackers known as Fin7 (a.k.a., JokerStash), who said they had obtained a cache of stolen card numbers from the company; the thieves call the cache “BIGBADABOOM-2.” They also offered 125,000 of the records for immediate sale.
The likely mechanism for the theft is card-skimming malware installed on the stores’ point-of-sale (POS) checkout systems, though details are scant. Gemini told the New York Times that the initial attack vector was probably targeted phishing emails sent to employees at the chains’ parent company, Hudson’s Bay.
“People often think POS systems are high risk to deal with and are reluctant to patch them and secure them sufficiently,” said James Maude, lead security engineer at Avecto, via email. “Often this results in an environment where unpatched applications are running with admin privileges and very little protection in place, making for a hugely tempting target. Even within the general user population at most organizations, overprivileged users with local admin rights mean that they are one click away from a breach and total compromise. We need to stop making it easy for attackers and build strong defensible security foundations.”
The incident is now contained, according to Saks, which also stressed in a statement that the hackers weren’t able to gain access to its e-commerce or other digital platforms, nor to the payment systems of affiliated brands Home Outfitters or HBC Europe, nor at Hudson’s Bay itself. There’s also no indication that Social Security or Social Insurance numbers, driver’s license numbers or PINs have been affected, it said.
In the grand scheme of things, the breach doesn’t hold a candle to the near-legendary card thefts at Target in 2013 (40 million card numbers stolen) and Home Depot in 2014 (56 million card numbers). But the incident indicates that the near-constant cycle of these type of attacks is far from being broken. Also, the sheer amount of time that the malware was active without being discovered indicates institutional problems, according to Terry Ray, CTO of Imperva.
“The problem organizations have is the actual identification of a breach or infection, especially in a reasonable time frame,” said Ray. “Most attacks are designed to run under the radar and the methods of breach constantly evolve. This requires that cybersecurity teams have effective funding, adequate staff and vast expertise. Sadly, none of those three are common. Usually, cybersecurity teams are underfunded until a breach, then they get a little extra money. Their teams are generally small and stretched thin. Given all the areas than can be attacked, security team members need broad technology knowledge, which makes them highly desirable in the marketplace, going back to the underfunded point.”