HBC says Saks data breach lasted up to 9 months until contained March 31
Women's clothes are shown inside Saks Fifth Avenue the company's new store in downtown Toronto on Tuesday, Feb. 16, 2016. (Nathan Denette / THE CANADIAN PRESS)
David Paddon, The Canadian Press
Published Friday, April 27, 2018 10:46AM EDT
Last Updated Friday, April 27, 2018 11:15AM EDT
TORONTO -- A previously announced data breach at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor locations in the United States lasted about nine months before it was detected and shut down last month, Hudson's Bay Co. said Friday.
The Toronto-based retail company announced the breach on April 1 but provided few details at the time. It said Friday that the breach began as early as July 1 last year but has been contained since March 31.
HBC chief executive Helena Foulkes, who joined the company in February, said Friday that the company regrets any concern caused by this issue.
"Throughout this process, we have made it our goal to work quickly to provide support and information to our customers and we will continue to serve them with that same dedication," Foulkes said in a statement.
HBC now says the breach was caused by malware, a type of software inserted into its system to collect customer payment card information, including cardholder name, payment card number and expiration date.
"The company wants to reassure affected customers that they will not be liable for fraudulent charges that may result from this matter," it said in the statement.
It also said that it has arranged to provide potentially affected customers with identity protection services at no cost to them, including credit and web monitoring -- a common practice with this sort of data breach.
The details released Friday confirms only some of the information published weeks ago by Gemini Advisory LLC, a cybersecurity firm that detected the breach after it noticed an influx of stolen credit and debit card information for sale.
HBC repeated Friday its original assertion that there's no indication that its e-commerce digital platforms were ever affected nor were its Hudson's Bay nor Home Outfitters stores in Canada or at HBC Europe.
It said the company has no evidence that contact information, Social Security or Social Insurance numbers, driver's license numbers, or personal identity numbers associated with the cards were affected by this issue.
HBC shares dropped to as low as C$8.45 on April 3 but closed Thursday at $9.07 at the Toronto Stock Exchange. They were down marginally Friday morning.