Saks Fifth Avenue shoppers have reason to worry this week, as the Hudson’s Bay-owned luxury retailer has reportedly exposed the personal information of tens of thousands of online customers this week.
Customers’ emails, phone numbers and IP addresses — along with identification codes for products the customers expressed interest in buying — were leaked in unencrypted, publicly accessible pages on the Saks Fifth Avenue website, according to the report by BuzzFeed News.
Hudson’s Bay removed the pages on Saks Fifth Avenue’s website revealing this data, and stressed that “no credit, payment or password information was ever exposed,” in a prepared statement to USA TODAY. While it’s still too early to tell the full extent of the data breach and what ramifications it may have on customers, the breach has cybersecurity experts concerned.
“A collection of valid emails is in effect a target list for phishing campaigns,” explained Tim Erlin, a VP at cybersecurity firm Tripwire, to USA TODAY. Hackers can send emails from seemingly reputable sources to trick customers into revealing personal information including credit card numbers and passwords. Data breach victims are also at risk of receiving ransomware via email.
Saks Fifth Avenue’s cybersecurity troubles go beyond the revealed emails, phone numbers, and IP addresses. Some pages on the retailer’s website are reportedly served unencrypted, leaving shoppers vulnerable to hackers if they try to shop on an open WiFi network, according to the BuzzFeed report.
“This is as bad as security gets,” Robert Graham, a cyber security expert, and owner of Errata Security, said to BuzzFeed News. “Everyone is vulnerable.”
Major Companies Get Hit a Lot
It seems like every week, there’s a new story about a large company being investigated for exposing customer information. Sadly, this isn’t that far from the truth. While Target’s 2013 holiday season data breach is the largest retail hack known to date — impacting anywhere between 70 million and 110 million customers — a number of other major companies have also come forward after compromising large amounts of sensitive customer information.
Home Depot, Yahoo, Anthem, CareFirst BlueCross BlueShield, J.P. Morgan, UPS Stores, Inc. and even Hello Kitty maker Sanrio Co. are just a few big names revealed to have exposed customer data in recent years, and you have likely done business with one of these companies in the past.
Saks Isn’t the First Luxury Retailer to Be Breached
Saks Fifth Avenue is far from the first luxury retailer to have exposed their customers’ information. Coming off the heels of BuzzFeed’s report about the Saks Fifth Avenue data breach is Neiman Marcus’ settlement in Illinois federal court over a data breach in Dec. 2013 that revealed the credit card data of over 350,000 shoppers.
On March 17, the designer apparel purveyor agreed to pay $1.6 million to resolve this data breach class action. Morgan & Morgan Complex Litigation Group attorney John A. Yanchunis was among those representing consumers in this class action against Neiman Marcus. (Yanchunis is currently leading what is likely the largest class action ever filed, holding Yahoo accountable for exposing up to as many as a billion user email accounts.)
Under the proposed settlement, Neiman Marcus must maintain aggressive customer data protection measures, and the company has formed an Information Security Unit tasked with monitoring customer payment card data.
Was Your Data Compromised? What You Can Do
Receiving a letter from your bank informing you that your credit card has been reissued following a data breach is becoming an increasingly common occurrence. But is this really enough to prevent a potential hack into your personal and financial information?
Customers who receive notice of a data breach — whether through their bank (as mandated by federal law) or by the company responsible for exposing your data — should take the following steps to protect their information and minimize the fallout.
Change Passwords: Regularly updating your password is always a prudent security measure, but it is especially important after your information was compromised in a data breach. Be sure to change your password on all websites that hold your financial, medical, or sensitive personal data, and avoid using the same password for multiple online accounts.
Open New Bank Account: Your bank will likely have issued you a new credit card or debit card, but if the data breach was serious enough to expose your bank account number, be sure to close the account and open a new one, according to Time Money.
Monitor Your Statements: Stay on the lookout for fraudulent or unauthorized transactions. Under the Fair Credit Billing Act, you are not liable for any of these transactions if you report them within 60 days of receiving your statement, according to the U.S. Federal Trade Commission.
Place a Fraud Alert: Identity theft following a data breach is a real threat and it can harm your credit score. The FTC advises that data breach victims contact one of the three major credit reporting companies (TransUnion, Experian, and Equifax) to request a fraud alert be placed on your credit file. The credit reporting company you contact is legally required to inform the other two of your fraud alert, as well. A fraud alert will stay on your credit report for 90 days and can be renewed at your request.
If You’re a Saks Fifth Avenue Customer, You Could Be at Risk
Anyone who has shopped online recently at Saks Fifth Avenue’s website could be at risk. If you were notified of a data breach after shopping online at the store, our attorneys want to hear from you. You may be entitled to compensation for the exposure of your personal data and other damages. Fill out our free, no-risk case evaluation form to learn more today.