Skip to main content
close search
site logo
Dive Brief

Hudson's Bay data breach among 'most damaging' in retail

Published April 2, 2018
By
Contributor
Raysonho. (2016). "Saks Fifth Avenue in Toronto" [photograph]. Retrieved from Wikimedia Commons.

Dive Brief:

  • Some Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores suffered security attacks on their in-store point-of-sale systems last year, leading to about 5 million credit and debit card numbers being stolen, according to a New York Times story that referenced a report from security research firm Gemini Advisory. 

  • Russian hacker syndicate Fin7 appears to have been responsible, according to Gemini Advisory. The hacker group has so far offered about 125,000 stolen card numbers — the majority of them obtained from New York and New Jersey stores — for sale on the dark web.

  • The Hudson's Bay Company, which owns all three of the retail store brands affected, subsequently confirmed in a statement that certain stores had been affected by a "data security issue," that it is continuing to investigate the incident and that it will offer further details to affected customers as the investigation progresses.

Dive Insight:

Gemini in its report described this breach as "amongst the biggest and most damaging to ever hit retail companies."

The massive breach comes at an especially bad time for the retailer. Just last week the company reported that same-store sales declined about 2.4% in the fourth quarter of 2017. That wrapped up a year in which the company, under heavy pressure from an activist investor, closed about 27 stores and sold its flagship Lord & Taylor store in New York City. 

New CEO Helena Foulkes, who came on board in February after former CEO Jerry Storch abruptly departed, already had to deal with the need for a strategic makeover and a decision about whether or not the company will still look into mergers or privatization. Now she also has to grapple with a data breach at a time when operators of brick-and-mortar stores can't exactly afford to give customers more reasons to stay away from those stores. 

Data breaches continue to be a growing threat for retailers and brands. The Hudson's Bay breach was not even the only attack to be discovered in the past week, as Under Armour also admitted that its MyFitnessPal app was breached in an incident that left the usernames, e-mail addresses and passwords of as many as 150 million users vulnerable.

In 2017 alone, we saw data breaches that resulted from malware being planted on the POS systems in stores operated by The Buckle, Eddie Bauer, Kmart and Forever21.

Even with technology, such as EMV chips, more widely adopted, information remains vulnerable.

"EMV chip card acceptance can help merchants distinguish between real and fake payment cards," Ruston Miles, founder and chief innovation officer of Bluefin Payment Systems, told Retail Dive via e-mail. "However, EMV does nothing to stop hackers from using malware to steal card data from POS systems." Miles added that further protections like industry-standard encryption and tokenization are needed (and if you have those capabilities, they need to be turned on. In the case of Forever21's breach, they apparently were not).

Terry Ray, CTO of data security technology company Imperva, said in an e-mail to Retail Dive that it may take more than investments in new security systems for Hudson's Bay to protect its customers.

Ray said many organizations continue to have problems with discovering data breaches, and understanding what they are dealing with once they find them, which is why the Hudson's Bay data breach and others seem to go on for months before they are stopped. (The Hudson's Bay breach started last May and was ongoing until very recently, according to the Times.)

"Most attacks are designed to run under the radar, and the methods of breach constantly evolve," Ray said. "This requires that cyber security teams have effective funding, adequate staff and vast expertise. Sadly, none of those three are common." 

Can Hudson's Bay learn from the sector's security shortcomings? This is the same question seemingly asked after every retail data breach, with only the name of the company being much different. We have yet to see many companies come up with an adequate answer.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
ShoppinGenie Unveils Version 3.0: An AI-Powered Shopping Assistant Set to Transform Retail
From KanduAI
November 06, 2024
Alejandro Betancourt López and the Future of Retail
From Hawkers Sunglasses
November 13, 2024
Myriad Genetics Expands Access to At-Home Early Fetal Sex DNA Test with Retail Launch
From Myriad Genetics
November 13, 2024
Aroma Retail Supports Exponential Ecommerce Growth with Descartes Parcel Shipping Solution
From Descartes Systems Group
November 04, 2024
Editors' picks
  • Woman shopping denim jeans in a clothing store
    Image attribution tooltip
    lechatnoir via Getty Images
    Image attribution tooltip

    7 retail trends to watch in 2024

    From economic pressures weighing on consumers to relocating stores away from malls, here’s what’s on retailers’ minds heading into the new year.

    By Retail Dive Staff • Jan. 8, 2024
  • An illustration of a person hanging onto a coin in rough seas.
    Image attribution tooltip
    Adeline Kon/Retail Dive
    Image attribution tooltip
    Tracker

    The running list of major retail bankruptcies

    Eastern Mountain Sports and Bob's Stores are the latest retailers to file Chapter 11.

    By Retail Dive Staff • Updated Nov. 15, 2024
Latest in Operations
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell