back to article Hacks Fifth Avenue: Crooks slurp bank cards from luxury chain Saks

Luxury store chain Saks Fifth Avenue has confirmed it was the victim of a massive cyber-attack that could compromise millions of shoppers. The Fin7 hacking group bragged it compromised Saks' computer systems, and lifted about five million payment cards from those who made purchase at the upscale clothing store's brick-and- …

  1. DanceMan

    Owned by Hudsons Bay Co.

    When will these giant retailers realize they have to take security seriously and hire the necessary skilled staff?

    As a Canadian, I'm embarrassed.

    1. ThatOne Silver badge
      Devil

      Re: Owned by Hudsons Bay Co.

      When getting hacked starts costing them more as the security investment needed to avoid it.

      1. lifetime security Bronze badge

        Re: Owned by Hudsons Bay Co.

        They will not learn till the high level execs get their ass kicked.

    2. steviebuk Silver badge

      Re: Owned by Hudsons Bay Co.

      Never. That's the problem. IT is always seen as the lower class of a company so is often ignored, understaffed and underpaid.

      The top brass always assume "IT works fine here, so what are we paying this people for to sit in our building all day doing nothing. Lets out source it to the cheapest provider we can find and save money".

      Ignoring the fact IT is working fine because the IT people ARE doing work and doing a good job as you don't notice it. And external companies that manage IT for several business' strictly stick to their SLA contracts. You want it out of SLA urgently, you pay. If you have internal staff, you can tell them to ignore the SLA for that urgent call, because its, well, urgent.

  2. James Loughner

    They have not gone to tokenizing the CC numbers?? Really they can not be PCI compliant.

    https://www.pcisecuritystandards.org/

    I fault their CC processors not meeting PCI compliance standards.

    1. FrankAlphaXII

      RTFA

      They have, these kinds of attacks are happening at the POS before the card number can be tokenized and before the payment is authorized. As it states very clearly in the article. Its also probably not happening with cards that have EMV chips, but I don't shop at any HBC owned stores so I have no idea if they even support them.

      On that note, If you're going to shop at a mall retailer who is selling your data to a PLCC issuer anyway, bite the bullet and use the store's PLCC if they have one. Its a lot easier to deal with when it eventually gets blown open by a hacker since the PLCC can only be used at that store and maybe other brands owned by the same parent.

  3. lifetime security Bronze badge

    Why on Earth are they storing CC numbers?

    This is so stupid. They should be dinged on PCI non-compliance. Yeah, I know it takes money and the DB guys push back really hard. Have been there, handled that. Management needs to understand this issue. Most executives don't prioritize security. The compensation models don't include security compliance metrics. They would therefore rather ship a feature or cut costs. SAKs has high value customers. The last thing they want to do is compromise on security. The value of the asset they should be protecting is huge. This is not a small mom and pop corner grocery store catering to students buying chips and sals.

    1. FrankAlphaXII

      Re: Why on Earth are they storing CC numbers?

      Do you not read?

      "The attack is the latest to use malware-infected cash registers to collect and siphon off card numbers as they are read from the cards, and before they can be encrypted".

      In other words, before the CC number is tokenized the number is getting stolen. They're not stealing it out of the databases at all, they're doing it a long time before.

  4. Anonymous Coward
    Anonymous Coward

    So how did the malware get on the cash register then?

    Was the till delivered with malware or has there been staff? installing it onsite?

    What OS was it running I wonder? LOL

  5. rmstock

    The Victims-exposure-heatmap.jpg according the Fin7 Syndicate Hacks website is drawn in nasty WaPo compost Democracy dies in darkness style , a nasty campaign launched by the owner, that truck driver resembling Rusty Nail inside the movie Joy Ride, who nowadays is accompanied with a.i. killer dog robot. This has become a commie versus capitalist street fight in cyberspace. Meanwhile the FBI is still busy cracking custom made Canadian Blackberries confiscated in Mexico.

  6. Anonymous Coward
    Terminator

    A generic Windows phishing attack

    "Gemini Advisory alleges the thief this time is known as JokerStash or Fin7. The hackers sent phishing emails to company employees.

    If the recipient clicked on the attachment, which is meant to appear as an invoice, the hackers infected the system, according to the Associated Press"

  7. Anonymous Coward
    Happy

    Saks sec sucks

    Would've been my headline.

  8. ozor

    Chip & PIN

    So if I understand this correctly, Chip and Pin Cards would not of been affected (unless you swiped and signed)?

    Anyone understand this enough to confirm :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Chip & PIN

      I would guess that name and card number type details that are availible on front of card have been grabbed but security code proberbly hasn't. So crims could counterfit for manual card payments but not electronic ones and have access to the card holders personal information such as bank sort/account for identy theft.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020