The breach comes as Hudson's Bay struggles to improve its financial performance as a tough retail environment has weighed on sales and margins. Last June, it launched a transformation plan to cut costs and is working to monetize the value of its substantial real estate holdings.
Hudson's Bay disclosed the incident after New York-based cyber security firm Gemini Advisory reported on its blog that Saks and Lord & Taylor had been hacked by a well-known criminal group known as JokerStash.
Joker Stash, which sells stolen data on the criminal underground, on Wednesday said that it planned to release more than 5 million stolen credit cards, according to Gemini Chief Technology Officer Dmitry Chorine.
The hacking group has so far released about 125,000 payment cards, about 75 percent of which appear to have been taken from the Hudson's Bay units, Chorine told Reuters by telephone.
The bulk of the 5 million card numbers that JokerStash said it plans to release are likely from Saks and Lord & Taylor, but it is too early to say for sure, Chorine said.
"It's hard to assess at the moment, primarily because hackers have not released the entire cards in one batch," he told Reuters.
Alex Holden, chief information security officer with cybersecurity firm Hold Security, confirmed that the 125,000 cards had been released by JokerStash but said it was too soon to estimate how many had been taken from Hudson's Bay.
If in fact millions of records were stolen, the breach would be one of the largest involving payment cards in the past year, but it would still be far smaller than any of the biggest thefts on record, which occurred a decade ago.
Hackers stole more than 130 million credit cards from credit-card processor Heartland Payment Systems, convenience store operator 7-Eleven Inc and grocer Hannaford Brothers Co, from 2006 to 2008, according to US federal investigators.
Cybercriminals stole some 40 million payment cards in a 2013 hack on Target Corp and 56 million from Home Depot Inc in 2014.
Hudson's Bay said there is no indication its recent breach involved online sales at Saks and Lord & Taylor outlets or its Hudson's Bay, Home Outfitters and HBC Europe units.
The company said that customers will not be liable for fraudulent charges resulting from the breach.
(This story has not been edited by Devdiscourse staff and is auto-generated from a syndicated feed.)