(Bloomberg)—Hudson’s Bay Co. fell the most in four months after a data security breach may have put millions of the department-store company’s customer payment cards at risk.
Hudson’s Bay, No. 81 in the Internet Retailer 2017 Top 500, said on Sunday it is investigating a breach on cards used at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores. Security firm Gemini Advisory wrote in a post that details from more than 5 million credit and debit cards were stolen by a hacking syndicate, which is gradually putting them up for sale.
Hudson’s Bay shares fell as much as 7% to C$8.30 Monday in Toronto, the biggest intraday decline since Dec. 6. They had already dropped 21% this year through March 29. Markets were closed Friday for the Good Friday holiday.
The theft further clouds the outlook for the company, which has been struggling to win back customers increasingly turning toward online retailers like Amazon.com Inc. (No. 1). Last week, Hudson’s Bay reported fourth-quarter earnings that missed estimates and a decline in same-store sales.
“We identified the issue, took steps to contain it and believe it no longer poses a risk to customers shopping at our stores,” the company said in an updated statement on Saks’ website Monday. The investigation is continuing, it said.
Online retailers are taking steps to stop fraud. Retailers spent 8% of their annual revenue to prevent and manage fraud in 2017, up from 6% on average, according to a Javelin/Vesta study.
More store-based retailers have adopted EMV (short for EuroPay, MasterCard, Visa) standards, which has driven more criminals online to commit fraud because chip-based cards make it harder to commit fraud in stores. But Hudson Bay’s still managed to fall victim to a security breach.
There is no indication that e-commerce operations were affected, according to the statement. Hudson’s Bay urged customers to flag any unfamiliar transactions to their card providers and said they won’t be liable for fraudulent charges.
An external representative for Hudson’s Bay declined to comment on Gemini’s report.