More than 5 million credit and debit cards were affected. The majority of the stolen payment cards were taken from stores in New York and New Jersey, three Canadian stores in Toronto, Brampton and Pickering. Analysis suggested that criminals were siphoning the information between May 2017 to present. They market stolen credit information on a hub called Joker’s Stash. Hudson’s Bay Company, which owns the chains in questions, wrote in a statement that customers would not be held liable for any charges, will offer free identity protection services to those affected once the situation has “more clarity around the facts,” and has “taken steps to contain” the scope of the breach.
Hudson’s Bay said there is no indication the breach involves online sales records at “Saks and Lord & Taylor outlets or its Hudson’s Bay, Home Outfitters, and HBC Europe units.” A previous investigation in 2017 found that many of Saks Fifth Avenue’s customer records (not including payment info) were stored in plain text on publicly accessible servers. A cybersecurity firm called Gemini Advisory identified the breach. The “attack is amongst the biggest and most damaging to ever hit retail companies,” according to the firm.