The complaint for this class action claims that in the past five years, almost every major data breach at retail chain stores has involved malware on point of sale (POS) systems—yet retailers still do not take adequate precautions to vulnerable protect customer data. In this case, it was Saks & Company’s systems that were breached, and the issue is not only the breach but Saks’s failure to detect it or properly inform customers for nearly a year.
The class for this action is all persons living in the US who made credit or debit card purchses at any affected Saks Off 5th store between July 1, 2017 and March 31, 2018.
On March 28, 2018, the hacking group Fin7 announced it had engineered a data breach at a major company, resulting in the theft of information for over five million credit and debit cards. A few days later, the cyber-threat research group Gemini Advisory, put out a report saying that the company was Hudson’s Bay Company (HBC), the parent company of Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor. That same day, HBC confirmed the data breach.
Later reports cited the breach of POS systems, and said that the hackers had had access to information between approximately July 1, 2017 and March 31, 2018. This was not all. In March 2017, the complaint says, HBC had accidentally exposed the personal information of “tens of thousands” of customers through the company’s websites.
Compounding the problem, Saks seems to have been unaware of the breach for eleven months. It made no public announcement until after the release of the Gemini report.
The complaint faults Saks on a number of points.
The complaint points to the major data breaches already suffered by retail chains such as Target and Home Depot, saying that these events should have warned Saks to upgrade its security measures. The complaint says, “The deficiencies in Saks’ data security were so significant that the malware installed by the hackers remained undetected and intact for approximately one year.”
Although the complaint says that HBC had “soaring profits and revenues,” it charges that the company invested heavily in remodeling stores and opening new stores but not in upgrading security. It claims that Saks did not take recommended industry standard measures that were available for protecting customer data and that it did not even comply with Federal Trade Commission (FTC) guidance.
The complaint alleges that the company is guilty of negligence and breach of implied contract, among other things.