Major Retailers Respond to Data Breach

Retailers Saks Fifth Avenue and Lord & Taylor experienced a data breach affecting about 5 million customers. Hackers JokerStash Syndicate (also known as Fin 7) stole and resold credit and debit card information retrieved during the sales process.

Both companies are owned by Hudson's Bay Co., and we see that their customer messages have been coordinated. On both retailers' websites, text appears at the top of the page in a yellow box. When you click on the "Important Message" link, you see two statements dated one day apart and a list of FAQs.


The second message is below:

April 2, 2018 Statement

Updated Statement

We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores. While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms, Hudson's Bay, Home Outfitters, or HBC Europe. We deeply regret any inconvenience or concern this may cause.

We wanted to reach out to our customers quickly to assure them that they will not be liable for fraudulent charges that may result from this matter. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring. We encourage our customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize.

We are working rapidly with leading data security investigators to get our customers the information they need, and our investigation is ongoing. We also are coordinating with law enforcement authorities and the payment card companies. For further information, please visit,, or To speak with a dedicated call center representative, beginning April 4, 2018, you can call 1-855-270-9187, Monday - Saturday, 8 am - 8 pm CT.


  • Read the statements on the retailers' websites. Identify the primary and secondary audiences and communication objectives.
  • How well do the statements achieve their objectives? What else, if anything, should the companies communicate at this point?
  • To what extent are the retailers holding themselves accountable for the breach?