For Hudson's Bay's new CEO, another headache - a data breach with a claimed 5 million cards at risk

Profile picture for user slauchlan By Stuart Lauchlan April 2, 2018
Summary:
Hudson's Bay Company has a hell of a lot to do in terms of tech upgrades. That's going to include payment systems after 5 million cards were involved in a massive data breach.

hudsonsbay
Last week’s look at the challenges ahead for the new CEO of retailer Hudson’s Bay Company (HBC) concluded with the view that there was an awful lot to be done to turnaround the fortunes of the firm. The last thing Helena Foulkes needed was a data breach to deal with.

But that’s what she got as the company had to put its hands up to a security issue involving customer payment card data at a number of Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. In a statement on 1 April, there was no fooling around when HBC said:

We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores.

While the investigation is ongoing, there is no indication at this time that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe. We are working rapidly with leading data security investigators to get our customers the information they need, and our investigation is ongoing. We also are coordinating with law enforcement authorities and the payment card companies.

We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores. We will offer those impacted free identity protection services, including credit and web monitoring…We want to assure our customers that they will not be liable for fraudulent charges that may result from this matter.

That was about all HBC is saying for now while an investigation continues, promising more information when available:

Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring. We encourage our customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize.

Five million cards?

But security analyst firm Gemini Advisory went considerably further, estimating that the breach involved 5 million payment cards between May of last year and the present day. It said that it was aware of approximately 125,000 records that had been released for sale, with the expectation that many more were to come.

Gemini points the finger at the JokerStash hacking syndicate which released a batch of compromised records, dubbed BIGBADABOOM-2, on 28 March, four days before HBC admitted to the security problem and the day when HBC announced its latest quarterly numbers. No mention was made of the problem in the results conference call with Wall Street analysts.

This is a big security breach in the retail sector, warns Gemini:

With the declared number of compromised payment cards being in excess of five million, the current hacking attack is amongst the biggest and most damaging to ever hit retail companies…As of this writing, only a minor part of compromised records have been offered for sale, with approximately 35,000 records for Saks Fifth Avenue and 90,000 records for Lord & Taylor.

HBC’s commitment to ensuring that any affected customers will not be liable for fraudulent transactions is just as well given the nature of its customer demographic. Gemini notes:

Cardholders who frequently shop at luxury retail chains like Saks Fifth Avenue are more likely to purchase high-ticket items regularly; therefore, it will be extremely difficult to distinguish fraudulent transactions from those of a legitimate nature, allowing criminals to abuse stolen payment cards and remain undetected for a longer period of time.

It adds that the impact of this breach may well reach beyond North America:

The theft of five million payment cards is undoubtedly among the most significant credit card heists in modern history, and will negatively affect a large number of consumers in North America. On the other hand, in recent years, US and Canadian banks have advanced their fraud detection capabilities tremendously, which will allow them to minimize the impact of the hack on their customers.

However, considering the popularity of Saks Fifth Avenue and Lord & Taylor stores with international travelers, whose banks might have less effective anti-fraud controls, we anticipate a significant surge in fraudulent in-person purchases in the coming months, which will explicitly affect foreign banks.

My take

When sorrows come, they come not single spies…

Another big item on CEO Foulkes to do list. The fact that there’s no apparent impact on e-commerce and digital platforms is a silver lining to this latest cloud over HBC, suggestive that this breach relates to legacy card tech. That’s something that can be tackled from an infrastructure point of view.

But what the PR damage will be once/if the firm is hit by a rash of fraud claims is another matter altogether.