Luxury retailer Saks Fifth Avenue is the latest victim of a data breach that has compromised credit card accounts at the retailer, and its partners Lord & Taylor and Saks Off Fifth.
The Details on This Data Breach
The Hudson Bay Company, a Canadian corporation that owns the three retail stores, announced Sunday that a group of cybercriminals had accessed more than 5 million debit and credit card accounts using data-siphoning software implanted into the stores' cash register systems.
Citing the guidance of cybersecurity firm Gemini Advisory, Hudson Bay says they "identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores."
The retailer's breach is just another in a long line of security breaches plaguing stores, corporations, banks, and virtually any organization that stores sensitive consumer data. (In 2017 alone, there were 1,579 breaches compromising 179 million records.)
What to Do If You're a Customer of Saks or Lord & Taylor
Hudson Bay says it plans to keep customers in the loop about whether their accounts were affected, and that consumers will not be on the hook for the fraud that results from the breach.
"We wanted to reach out to our customers quickly to assure them that they will not be liable for fraudulent charges that may result from this matter," Hudson Bay said in a statement. "Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring."
If you think you might have been affected, watch the company's website for additional details as they develop. Starting April 4, customers can also call the Hudson's Bay customer assistance line at 855-270-9187.
1. Cancel Your Card and Get a New Number
Call your bank or credit card issuer immediately and let them know you want a new card with a new account number and PIN. While some financial institutions will do this automatically, you have the right to ask for a new account number if they don't. This information is often used quickly, though it can also be sold on the dark web later as well.
2. Monitor Your Credit Card Accounts
It's up to you, the customer, to remain vigilant. The issue with data breaches like this one is that once your data has been exposed, it can be used at any time in the future—especially when you least expect it. Hudson's Bay Company says there is no evidence that Social Security numbers, driver's license numbers, or PINs have been affected by the breach.
Because your credit card information is out there, you should look over your credit card statements to ensure they don't feature any unwanted activity. You can also usually set up real-time alerts with your credit cards that ping you whenever your card is used. You'll receive a text or alert on your phone any time there's a new charge.
If you do see a fraudulent charge on your account, call your bank and dispute the charge with them immediately. Consumers aren't liable for fraudulent credit card transactions, but they might be responsible for up to $500 of fraudulent debit card charges if they wait too long to report it. To minimize your liability, flag fraudulent charges immediately.
3. Monitor Your Credit Reports
This data breach is currently reported to only impact current credit card accounts, but it's always a good idea to regularly monitor your credit reports as well to keep an eye on any inquiries and new accounts that may be the work of identity thieves.
If you're worried about potential identity theft because of a data breach, you can set up a fraud alert with the three major credit bureaus, Equifax, TransUnion, and Experian. This alert notifies any lenders pulling your credit report to take extra steps to verify your identity before extending credit in your name. This can make it tougher for identity thieves to use any information they have on you, but it does not block access to your credit report altogether.
You can file a free initial security alert that is active on your account for 90 days at Experian fraud center. (No need to reach out to the other bureaus, either—bureaus are legally required to share alerts filed at one with the other two.)
The alert can be renewed after the 90 days is up if you are confirmed to be a victim of identity theft. For extended fraud alerts, you will need to file an identity theft report with the FTC.
If you want more protection than just a fraud alert, you may also want to consider freezing your credit reports. That prevents lenders from extending new credit in your name altogether. Credit freezes are generally not free unless you have proof you are a victim of identity theft.
They typically cost $10, though they can be up to $20. Find complete information on how to set up a security freeze, including details and conditions by state, click here. You will need to contact each credit bureau separately to freeze with each of them—Experian, Equifax, and Transunion.
Remember, you will also have to unfreeze your credit reports if you need to apply for a new loan or credit card. That can cost anywhere between $3 and $12. Find details on how to unfreeze your credit report here.
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.