Saks Fifth Avenue is the latest retailer to report that customers' personal information has been inadvertently exposed online.
In this case, it was e-mail addresses and phone numbers of Saks shoppers that were visible on its retail website. The breach was first reported by BuzzFeed.
BuzzFeed said “tens of thousands of customers” were affected. E-mail addresses, phone numbers and product codes were visible “in plain text online,” BuzzFeed reported. The pages reviewed by BuzzFeed, an Internet-based media company, have since been taken offline. The exposed data were visible only via a specific link on the Saks site, one where customers went to join a wait-list for certain products.
The company that own Saks and maintains its online website, Canadian-based department store retailer Hudson’s Bay Co., acknowledged that some customer data were exposed. But it stressed that it is moving quickly to resolve the situation and that key personal data, such as credit card numbers, were not exposed.
“We take this matter seriously,” Hudson’s Bay Co.told USA TODAY in a prepared statement. “We want to reassure our customers that no credit, payment or password information was ever exposed. The security of our customers is of utmost priority, and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”
Tim Erlin, a VP at cybersecurity firm Tripwire, says it's too early to say how severe the “disclosure of sensitive information” at Saks will turn out to be. Consumers, though, should always be concerned when personal data is not properly safeguarded. “The cardinal rule,” Erlin says, “is after an initial report of a breach of some kind, you will always learn more later.”
Cyber thieves, he says, can use e-mail lists and phone numbers to inflict financial damage on unsuspecting victims, including identify theft. “A collection of valid e-mails is in effect a target list for phishing campaigns,” Erlin says. A phishing scam is when cyber thieves send out e-mails purported to be from reputable sources to induce potential victims to reveal personal data, such as credit card numbers, social security numbers and passwords. There's also potential for hackers that get ahold of e-mail address to put malicious software, such as ransomware, on PCs, he adds.
The retail industry continues to battle hack attacks and inadvertent disclosures of personal information, as shoppers increasingly shift their purchases online and away from brick-and-mortar stores.
Hudson’s Bay Co., which was founded in 1670 and owns leading retail brands such as Lord & Taylor, Gilt and Saks. This past week, The New York Times reported that Hudson’s Bay was in talks to acquire high-end retailer Neiman Marcus.
© Gannett Co., Inc. 2017. All Rights Reserved