Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Hudson's Bay Brands Hacked, 5 Million Credit Card Accounts Stolen

The infamous Carbanak/FIN7 cybercrime syndicate breached Saks and Lord & Taylor and is now selling some of the stolen credit card accounts on the Dark Web.

An infamous cybercrime group hacked and purloined some 5 million credit card numbers from Hudson's Bay brands Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor in a massive retail data breach disclosed over the weekend.

In a Sunday advertisement on the Dark Web, 125,000 of the stolen credit card accounts were offered for sale on the Dark Web. The breach was first disclosed in a blog post by security analysts at Gemini Advisory, revealing that the entire network of Lord & Taylor stores, 83 Saks Fifth Avenue stores, and an unknown number of Saks Off Fifth stores were compromised by malware that breached the point-of-sale system in each location.

"The length of the breach says a lot about the methodology," says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. He explains that the breach, which Gemini Advisory says occurred from May 2017 until the time of the announcement, is characteristic of an attack that compromises the PoS and captures credit-card transaction data and metadata, exfiltrating the data over time.

This long-term compromise of the PoS system is also a characteristic of the Carbanak cybercrime gang aka JokerStash aka FIN7, based on their previous attacks. It's the same cybercrime gang behind breaches at Whole Foods, Chipotle, and Jason's Deli (among other hospitality companies), and typically employs the long-lasting data skim method.

 

"With thousands of devices spread across hundreds of stores, it can be very difficult for retailers to secure their entire networks. All it takes is for one point-of-sale device or router to be left un-patched for an entire company to be compromised," Peter Martini, president and co-founder of iboss, said in a statement.

While no details have been released on precisely how many PoS terminals were compromised, Gemini Advisory says that the majority of credit cards affected were used in New York and New Jersey stores. And some experts see that limited geography as a tool in figuring out how long the attack has been in operation.

"While locale-specific attacks like these aren't uncommon, the volume of records is a bit larger than usual, which could be a lead to how long the infection was present before detection," says Terry Ray, CTO of Imperva.

According to Ray, multiplying known factors such as number of locations, average number of customers per day, and number of customers using credit cards lead to the conclusion that this malware infection could have been present for as many as 500 days.

Faster Response

The duration of the attack is something that a number of analysts have targeted as an example of an area of enterprise security that organizations should work to improve.

"People need to understand that breaches will happen. It's flawed to think that a prevention system alone will be so strong that you never have to deal with detection inside the network," says Juniper's Hahad. He says that deficiencies in detection can lead to the worst sort of situation for a company, in which a third party recognizes and alerts you to the existence of a compromise.

Announcement of the breach comes on the heels of the announced arrest of the gang's leader in Spain. While some in law enforcement had hope that the arrest of the yet-unnamed individual might lead to a pause or slowdown in the Carbanak group's activity, the advertised sale of credit card numbers would seem to indicate just the opposite.

In a statement posted online, Saks Fifth Avenue says that the owners of any credit card numbers impacted by the breach will be notified and offered free credit reporting services.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...