Five million customer credit and debit cards offered for sale by the JokerStash hacking syndicate, also known as Fin7, likely came from records stolen from Saks Fifth Avenue and Lord & Taylor sometime between May 2017 and their March 28 release.
“Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations [has] been compromised” and the majority of cards were “obtained from New York and New Jersey locations,” according to a Gemini Advisory report, which states that approximately 125,000 records were for sale, with the remainder of the cache, advertised on the dark web as BIGBADABOOM-2, expected to be rolled out in the coming months.
“While locale-specific attacks like these aren’t uncommon, the volume of records is a bit larger than usual, which could be a lead to how long the infection was present before detection,” said Terry Ray, CTO of Imperva, noting that organizations often struggle to identify a breach or infection in a reasonable time-frame. “Most attacks are designed to run under the radar and the methods of breach constantly evolve. This requires that cybersecurity teams have effective funding, adequate staff and vast expertise. Sadly, none of those three are common,” Ray added.
Gemini expressed “a high level of confidence” that the stolen cards came from Saks Fifth Avenue, its discount outlet Saks Fifth Avenue OFF 5TH, and Lord & Taylor Stores, all operated by Hudson’s Bay Company (HBC), a Canadian firm.
“We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America,” reads a company statement from Saks Fiftht Avenue. “We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores. While the investigation is ongoing, there is no indication at this time that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe.”
The company added that it is coordinating with law enforcement authorities and payment card companies and assured customers that there is no evidence that Social Security and Social Insurance numbers, driver’s license numbers, and PINs were affected.
Fin7 has successfully hacked hotel chains like Trump Hotels and Omni Hotels & Resorts, as well as retailers like Whole Foods, Jason’s Deli and Chipotle. The group last year also launched spearphishing campaigns targeting Securities and Exchange Commission (SEC) filings using a fileless attack framework.
“This incident shows once again merchants still need to protect themselves against POS system infiltration attacks targeting cardholder data. A multi-layer security strategy is necessary,” including segmenting POS networks and upping monitoring and threat detection capabilities, said Mark Cline, vice president at Netsurion. “If nothing else, dwell time of such an attack would be reduced to hours or days. After all, the report is that this attack has persisted for almost a year, just as we have seen in previous massive card breaches.”