According to Gemini Advisory, the estimated window of compromise is between May 2017 and the present, and "the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised".
"On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web", Gemini reported. Hudson's Bay said in a statement that it "deeply regrets any inconvenience or concern this may cause", but it hasn't said how many Saks or Lord & Taylor stores or customers were affected.
According to HBC, the company has taken steps to contain the breach.
Some of those cards were used by their card owners as recently as a month ago, in one of the stores affected.
"The theft of five million payment cards is undoubtedly among the most significant credit card heists in modern history, and will negatively affect a large number of consumers in North America", Gemini Advisory wrote.
HBC said that its customers would not be liable for any fraudulent charges that may result from this data breach, but also urged them to be vigilant about checking their statements to catch any fraudulent charges, sooner rather than later.
However, hackers are claiming to have stolen data from 5 million card holders. This newest breach, however, more closely resembles past retail breaches that have targeted the point-of-sale systems used by companies from Home Depot to Target and Neiman Marcus.
HBC says it is working with data security investigators, law enforcement authorities, and payment card companies to investigate the breach. Go to the credit monitoring organizations and see what they have, different levels of protection, anything from credit monitoring, credit alerts, credit freezing. At the current time, the company does not have any reason to believe that driver's license or social security numbers were compromised and announced that it would notify any customers who were affected once its investigation has been completed.
However, Gemini Advisiory noted that the Hudson's Bay breach could be much more damaging, because it will be harder for banks to spot unusual transactions when it involves customers who routinely splash money on luxury goods.