A proposed class action has been filed in California federal court against Saks & Company LLC—better known as Saks Off 5th—over its alleged failure to provide customers with timely and accurate notice of a March 2018 data breach perpetrated by “notorious” hacking group Fin7.
Fin7 announced in March that it had successfully infiltrated the systems of an unnamed major corporation, stealing more than five million credit and debit card numbers, the lawsuit says. Cyber threat research firm Gemini Advisory reportedly confirmed on April 1 that the stolen customer data belonged to Hudson’s Bay Company, the defendant’s parent organization. Later reports revealed the breach pinpointed “potentially all Saks Fifth Avenue, Saks Off 5th and Lord & Taylor locations in North America” between July 1, 2017 and March 31, 2018, according to the complaint.
The plaintiff argues the defendant’s own acts and omissions are to blame for the cybersecurity attack and decries Saks & Company for failing to detect the breach for more than 11 months while only publicly acknowledging the incident after the release of the Gemini Advisory report.
“If Saks had maintained and implemented proper data-security measures to safeguard Customer Data, deter Fin7 and other hackers, and detect the breach within a reasonable amount of time, it is more likely than not that the breach would have been prevented, or at the very least, its harm mitigated,” the suit reads. “The data breach was the inevitable result of Saks’ inadequate approach to data security and the protection of the Customer Data that it collected during the course of its business. The deficiencies in Saks’ data security were so significant that the malware installed by the hackers remained undetected and intact for approximately one year.”