Cyber Incident Victim: Hudson's Bay Company
Date:
Mar 2018
Location:
United States of America
Summary
A cybercriminal group compromised payment systems at a major retail corporation, resulting in the theft of over five million payment cards subsequently sold on the dark web. The breach affected all locations of the company's Lord & Taylor stores and 83 Saks Fifth Avenue outlets, primarily impacting customers in New York and New Jersey. Data was siphoned from physical stores over several months through compromised point-of-sale systems, with online platforms remaining unaffected. Financial institutions confirmed the stolen cards' authenticity through transaction patterns linked to these retail brands. The incident highlighted vulnerabilities associated with outdated payment terminal technology still in use at some retail chains.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On March 28, 2018, the cybercriminal group JokerStash, also known as Fin7, publicly announced a major breach involving Hudson's Bay Company subsidiaries Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor. The group offered over five million stolen payment cards for sale on dark web marketplaces, representing one of the largest retail card breaches at that time. Multiple financial institutions confirmed the breach's validity after verifying that compromised cards had been used exclusively at these retail locations. Forensic analysis indicated the attackers had been exfiltrating payment card data from point-of-sale systems since at least May 2017, with ongoing theft continuing through early 2018. The compromise affected all 83 Saks Fifth Avenue locations across North America along with Lord & Taylor's entire store network. Geographically, the highest concentration of stolen cards originated from New York and New Jersey stores, though the breach impacted customers nationwide. Investigators determined that only physical retail locations were compromised, with no evidence of online shopping platform intrusion.
The breach exposed vulnerabilities in legacy magnetic stripe payment systems still operational at affected stores during the compromise period. While many retailers had completed transitions to more secure EMV chip-card terminals by 2017, Hudson's Bay Company subsidiaries were among those still using older technology when the breach occurred. Financial institutions began detecting fraudulent transactions linked to the stolen cards shortly before the breach announcement, prompting coordinated fraud monitoring efforts. Hudson's Bay Company initiated forensic investigations with third-party cybersecurity firms to determine the attack's full scope and containment measures. Customers were advised through banking partners to replace affected payment cards and activate transaction monitoring services. The incident highlighted systemic risks associated with delayed adoption of EMV technology across the retail sector, particularly among chains operating large physical store networks. No further details regarding technical attack vectors or specific security improvements were disclosed publicly following the initial breach notification.