Owned by Hudsons Bay Co.
When will these giant retailers realize they have to take security seriously and hire the necessary skilled staff?
As a Canadian, I'm embarrassed.
Luxury store chain Saks Fifth Avenue has confirmed it was the victim of a massive cyber-attack that could compromise millions of shoppers. The Fin7 hacking group bragged it compromised Saks' computer systems, and lifted about five million payment cards from those who made purchase at the upscale clothing store's brick-and- …
Never. That's the problem. IT is always seen as the lower class of a company so is often ignored, understaffed and underpaid.
The top brass always assume "IT works fine here, so what are we paying this people for to sit in our building all day doing nothing. Lets out source it to the cheapest provider we can find and save money".
Ignoring the fact IT is working fine because the IT people ARE doing work and doing a good job as you don't notice it. And external companies that manage IT for several business' strictly stick to their SLA contracts. You want it out of SLA urgently, you pay. If you have internal staff, you can tell them to ignore the SLA for that urgent call, because its, well, urgent.
They have, these kinds of attacks are happening at the POS before the card number can be tokenized and before the payment is authorized. As it states very clearly in the article. Its also probably not happening with cards that have EMV chips, but I don't shop at any HBC owned stores so I have no idea if they even support them.
On that note, If you're going to shop at a mall retailer who is selling your data to a PLCC issuer anyway, bite the bullet and use the store's PLCC if they have one. Its a lot easier to deal with when it eventually gets blown open by a hacker since the PLCC can only be used at that store and maybe other brands owned by the same parent.
This is so stupid. They should be dinged on PCI non-compliance. Yeah, I know it takes money and the DB guys push back really hard. Have been there, handled that. Management needs to understand this issue. Most executives don't prioritize security. The compensation models don't include security compliance metrics. They would therefore rather ship a feature or cut costs. SAKs has high value customers. The last thing they want to do is compromise on security. The value of the asset they should be protecting is huge. This is not a small mom and pop corner grocery store catering to students buying chips and sals.
Do you not read?
"The attack is the latest to use malware-infected cash registers to collect and siphon off card numbers as they are read from the cards, and before they can be encrypted".
In other words, before the CC number is tokenized the number is getting stolen. They're not stealing it out of the databases at all, they're doing it a long time before.
The Victims-exposure-heatmap.jpg according the Fin7 Syndicate Hacks website is drawn in nasty WaPo compost Democracy dies in darkness style , a nasty campaign launched by the owner, that truck driver resembling Rusty Nail inside the movie Joy Ride, who nowadays is accompanied with a.i. killer dog robot. This has become a commie versus capitalist street fight in cyberspace. Meanwhile the FBI is still busy cracking custom made Canadian Blackberries confiscated in Mexico.
"Gemini Advisory alleges the thief this time is known as JokerStash or Fin7. The hackers sent phishing emails to company employees.
If the recipient clicked on the attachment, which is meant to appear as an invoice, the hackers infected the system, according to the Associated Press"
I would guess that name and card number type details that are availible on front of card have been grabbed but security code proberbly hasn't. So crims could counterfit for manual card payments but not electronic ones and have access to the card holders personal information such as bank sort/account for identy theft.