A data breach at department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor has compromised the personal information of customers who shopped at the stores, per the AP. The chains' parent company, Canada-based Hudson's Bay Co., announced the breach of its store payment systems on Sunday. The company said it was investigating and taking steps to contain the attack. The disclosure came after New York-based security firm Gemini Advisory LLC revealed on Sunday that a hacking group known as JokerStash or Fin7 began trying to sell a stash of up to 5 million stolen credit and debit cards on dark websites last week. The security firm confirmed with several banks that many of the compromised records came from Saks and Lord & Taylor customers.
Hudson's Bay said in a statement that it "deeply regrets any inconvenience or concern this may cause," but it hasn't said how many Saks or Lord & Taylor stores or customers were affected. The company said there's no indication that the breach affected its online shopping websites and that customers won't be liable for fraudulent charges. It plans to offer free credit monitoring and other identity protection services. There is evidence that the breach began about a year ago, said Dmitry Chorine, Gemini Advisory's co-founder and chief technology officer. Chorine said the hackers' method is to send cleverly crafted phishing emails to company employees. Once an employee clicks on attachment, which is often made to look like an invoice, the system gets infected.