The Saks / Lord & Taylor Breach May Be Traced to Phishing Scam

April 5, 2018         By: Payment Week

The fallout from the recent and enormous Saks / Lord & Taylor breach is still being felt, but now, a new report from Gemini Advisory suggests a likely culprit. The system wasn’t breached straight, or due to any fault of mobile payments; rather, the breach is most likely caused by a phishing scam, where poor email hygiene at the employee level may ultimately have cracked the system.

The Gemini Advisory report suggests that a cybercriminal ring, already well-known in cyber security circles for several other major hacks, used malicious links contained in emails sent to employees, at least one of whom likely clicked on the link to provide a route for the criminals to enter.

Gemini’s co-founder and chief technology officer, Dmitry Chorine, considered this the most likely route, allowing the hackers free rein for what amounted to a year. After details for around 250,000 cards hit the online hacking group JokerStash—who subsequently announced plans to release data on five million credit and debit cards—investigations fired up in earnest and responses were set in place.

A report from the Anti-Phishing Working Group noted that phishing attacks had hit record levels in 2016, so the notion that phishing was used in this hack really isn’t out of line.

The worst part about news like this is that the whole thing would have been comparatively easy to defend against. Phishing attacks depend on someone opening a link in an email; it’s not some arcane hacker trick, it’s literally just a link in an email. If Saks / Lord & Taylor staff had been better educated on the notion of phishing attacks, this likely wouldn’t have happened. It might, of course, but it almost certainly would have taken something a lot more complex to do the job.

Clicking links in email is bad business, particularly when it’s people you don’t immediately recognize. The more we know about phishing attacks, the better off we all will be, whether we’re just at home or we’re working for a major corporation. Five million people’s credit card data says we can all stand to do better on this front.