Millions of Saks, Lord & Taylor customers compromised in recent hack
In the 21st century, it seems, life is a breach. Hackers made news again last week, when tony retailers Saks Fifth Avenue and Lord & Taylor revealed that financial information of five million of their customers had been compromised by a hack attack between May 2017 and last month.
“The criminals responsible appear to have installed malicious software on the cash registers that would collect the card number from any card swiped by the cashier, impacting all types of credit and debit cards,” says Eric Jacobsen (CAS’93, MET’03), BU’s information security director.
Investigators said the malware probably was installed when employees inadvertently clicked on links or attachments in emails sent by phishers—scammers who send emails masquerading as legitimate. Clicking on the links surreptitiously installed software that gave the hackers access to company computers.
The theft, one of the largest of its kind, is believed to have been committed by a group of Russian-speaking criminals known variously as Fin7 or JokerStash. The hacking group has offered 125,000 of the stolen records for sale.
BU Today asked Jacobsen for advice on protecting oneself from such hacks.
BU Today: The attacks were on patrons of stores mostly in New York and New Jersey. Is there any indication that card data of Terriers or their families were stolen?
Jacobsen: We have no information on who was affected by this. Since the malware was installed on cash registers in stores rather than the online store presence, the most likely victims would be those who have shopped in the physical stores in New York and New Jersey from May 2017 to March 2018.
What are the broader lessons here for the rest of us? BU has suffered phishing attacks as well.
In a phishing attack, the malicious actor wants an individual to either respond to an email or click on a link. The ploy often involves creating a sense of urgency, such as telling you that you only have a short time to respond to receive a benefit or avoid a penalty.
The best prevention techniques involve careful scrutiny of the email: why is this message urgent? Would the sender actually put time pressure on me for this task? Who sent the message? When in doubt, it’s best to verify with the apparent source. Take out your credit card or bank statement and call the number on that document—not the one provided in the email—and validate if the message is legitimate. The BU community can report phishing attempts to IS&T as well. If you fall victim to a phishing message, you should immediately change your password, scan your computer for spyware and viruses, and seek help from the IT Help Center.
Paying cash would eliminate some risk, but these were high-end retailers where that might be impractical. Is data theft a risk we have to assume when we use credit or debit cards to make purchases?
Most major retailers work very hard to avoid these kinds of events, but there is always some risk that they will occur. That said, consumers have good protection from fraudulent charges on their credit cards and generally have very limited liability, particularly compared to the risks associated with carrying large amounts of cash. There are important differences in how this liability works between credit and debit cards. In general, you have better protection from fraud when you use a credit card instead of a debit card, due to consumer protection regulations that govern the credit card industry.
If you suspect that your card might have been involved in a breach, you should check your recent transactions by calling the card issuer via their online portal, or when you receive your monthly statement. You should be sure you know what each transaction is. You can also get your credit report for free from each of the credit bureaus once per year and review that to ensure you know about all the sources of credit and debt associated with your name.
If you see fraudulent activity on your card, you should contact the financial institution associated with the card. Those institutions are very good at helping determine the best course of action, whether it is getting a new card number, changing a password or PIN number, or pursuing credit monitoring or a credit freeze.
What steps has BU taken institutionally to guard against this threat?
The retail functions of the University have to be compliant with a stringent set of IT and business requirements called the Payment Card Industry Data Security Standard (PCI-DSS). The University participates in an annual process involving an external assessor, in which we review and certify compliance with the standard. We also conduct these reviews any time we make changes to the information systems that support credit card processing. Over the past few years, we have also installed new credit card readers that encrypt transactions at the card reader, eliminating many sources of risk that the credit card number will be captured during processing.