Business

HBC says data breach lasted up to 9 months

Hudson's Bay Co. says a previously announced security breach at its Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores began as early as July 1 last year, but has been contained since March 31.

HBC believes breach no longer poses a risk to customers shopping at affected stores

A data breach at department store chains Saks Fifth Avenue, Saks OFF Fifth and Lord & Taylor compromised the personal information of their customers. The chains' parent company, Canada-based Hudson's Bay Co., announced the breach of its store payment systems on April 1. (Richard Drew/Associated Press)

A previously announced data breach at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor locations in the United States lasted about nine months before it was detected and shut down last month, Hudson's Bay Co. said Friday.

The Toronto-based retail company announced the breach on April 1 but provided few details at the time. It said Friday that the breach began as early as July 1 last year but has been contained since March 31.

HBC chief executive Helena Foulkes, who joined the company in February, said Friday that the company regrets any concern caused by this issue.

"Throughout this process, we have made it our goal to work quickly to provide support and information to our customers and we will continue to serve them with that same dedication," Foulkes said in a statement.

HBC now says the breach was caused by malware, a type of software inserted into its system to collect customer payment card information, including cardholder name, payment card number and expiration date.

"The company wants to reassure affected customers that they will not be liable for fraudulent charges that may result from this matter," it said in the statement.

It also said that it has arranged to provide potentially affected customers with identity protection services at no cost to them, including credit and web monitoring — a common practice with this sort of data breach.

The details released Friday confirms only some of the information published weeks ago by Gemini Advisory LLC, a cybersecurity firm that detected the breach after it noticed an influx of stolen credit and debit card information for sale.

HBC repeated Friday its original assertion that there's no indication that its e-commerce digital platforms were ever affected nor were its Hudson's Bay nor Home Outfitters stores in Canada or at HBC Europe.

It said the company has no evidence that contact information, Social Security or Social Insurance numbers, driver's license numbers, or personal identity numbers associated with the cards were affected by this issue.

HBC shares dropped to as low as $8.45 on April 3 but closed Thursday at $9.07 at the Toronto Stock Exchange. They were down marginally Friday morning.