Saks, Lord and Taylor Demonstrate How Not to Respond to Being Hacked

The New York Times is reporting that The Hudson’s Bay Company that owns Saks Fifth Avenue and Lord & Taylor confirmed that some number of stores run under these names and also Saks Off 5th were hacked and 5 million credit cards are available to be sold on the black market.

The breach is one of the larger retail credit card breaches – Target and Home Depot were each about ten times the size.  The Times says this is an indication of how difficult it is to secure credit card transaction systems.  While there is some truth to the statement, the more likely reality is that companies do not want to spend the money to fix horrible, decades old, security designs.  If you are unwilling to make changes then you should not be surprised at what you get.

Information for this post came from the New York Times.

So what can you do?

First, if you are a merchant, you need to secure your credit card system.  Hudson’s Bay said this only affected in store systems, not online shopping.

If you only allow those systems to connect to your inventory system, your loyalty card system and the credit card processor’s systems – by specific IP addresses, you have made the game geometrically harder for the hacker.  What you cannot see is difficult to hack.  For every exception you make to this rule, you make the hacker’s job easier.

You should be monitoring web traffic for unusual addresses.  While they have not given us any details, my guess it there were unusual traffic patterns.  Of course, you have to be watching for those patterns.

As a consumer, you should be watching your credit card transactions in real time.  I have had cards stolen numerous times.  The hackers get one transaction from me.  Recently, it happened to me and by the time the hackers were trying to use the card a second time, I was on the phone with the bank, they were watching the traffic stream and they killed the transaction in real time.  If hackers can’t use stolen cards, they won’t steal them.  It is no fun at that point.

How the public found out about the attack was from a security firm, Gemini Advisors, not from Hudson’s Bay.  How did they let that happen?  Did Hudson’s Bay think they could keep the breach secret?

Given the size of Hudson’s Bay, they should have had a crisis communications plan in place to be ready to deal with this.  If they did, it didn’t work.

Gemini (not Hudson’s Bay) said the hackers were in the system since last May.  They were active in the system for almost a year and they didn’t know it?  That doesn’t inspire confidence.

Hudson’s Bay said that they wanted to assure their customers that they weren’t liable for fraudulent transactions.  Note that they didn’t say that under federal law credit card companies are responsible for all fraudulent charges after the  first $50 or debit card charges after the first $500, subject to certain rules.  This is not Hudson’s being nice, this is federal law.  If you are going to hire spin doctors, do a better job of spinning.

Regarding Social Security numbers, driver’s license numbers and PINs – bottom line, they don’t think they were compromised.  That data should be tokenized so that there is no question that it can’t be compromised.  Bad system design.

If you need help with solving problems like this, give us a call.

Leave a Reply

Your email address will not be published.