A a cyber crime group called JokerStash (also known as Fin7) announced the release for sale of five million credit cards obtained from the “Saks Fifth Avenue” luxury department store and the “Lord & Taylor” stores.

How The Theft Was Done
According to Gemini Advisory, a cyber security firm specializing in tracking stolen financial data, the credit card data was stolen by installing malicious software in the cash registers of the stores. The software has been siphoning credit card data from May 2017 until last month.

Gemini researchers said that the entire network of Lord & Taylor was compromised along with 83 stores of Saks Fith Avenue. The majority of credit cards were stolen from store locations in New York and New Jersey.

The JokerStash group is known for also hacking into Whole Foods, Chipotle, Omni Hotels & Resorts, Trump Hotels, and other large companies. However, its latest hack of the Saks Fith Avenue and Lord & Taylor stores seems to have been one of more the most profitable, with the group obtaining over 5 million credit cards.

Hudson’s Bay Company (HBC), a Canadian retail group owns both Saks Fifth Avenue and Lord & Taylor stores, along with other retail brands, such as Galeria Kaufhof, Home Outfitters, and Gilt.com, a popular online shopping site. However, these last three companies don’t seem to have been hacked by JokerStash.

Ignoring Security Upgrades Gets You Hacked
As Maersk’s chair recently said, it’s imperative for companies to strive to secure their devices and networks as much as possible. Otherwise, it’s only a matter of time before they get hacked, too.

Saks Fifth Avenue and Lord & Taylor seem to have also learned this lesson the hard way. The two companies are among the few that have held out on upgrading their cash registers to using only EMV “chip and PIN” cards.

Now, the two companies not only have to deal with the negative press and their customers’ anger, but they are also liable for this data breach. A law passed in 2015, shifted liability to retail stores in case of credit card data breaches, unless said stores used EMV chip and PIN cards, in which case the liability would remain with the banks.

Gemini researchers recommended customers of the two retail chains to either replace their cards or setup transaction alerts to monitor for suspicious activity. The cyber security company anticipates a significant surge in fraudulent in-person purchases in the coming months using those stolen cards.