Canada-based department store operator Hudson's Bay Co. has disclosed that it fell victim to a security breach that impacted the bank card details of people who had shopped at its stores.

“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America,” according to a statement on the website of Saks Fifth Avenue.

The breach is thought to have resulted in the theft of more than five million credit and debit cards, which had been used in the affected stores owned by Hudson's Bay, according to Gemini Advisory.

The firm, which is dedicated to tracking stolen financial details, has blamed the theft on a cybercriminal ring dubbed JokerStash (and also known as Fin7). The group is believed to have announced on March 28 that it had obtained a cache of five million bank card numbers, which it had nicknamed ‘BIGBADABOOM-2’. In the meantime, the details of 125,000 cards from the loot have reportedly been put up for sale on the dark web.

The gang did not disclose where it had obtained the data. However, having analyzed a sample of the data together with a number of banks, Gemini Advisory has determined that most of the bank cards had been used in stores operated by Hudson's Bay in New York and New Jersey.

According to the firm, 83 Saks Fifth Avenue or Saks Off Fifth stores and all 51 Lord & Taylor locations have been compromised. At least three Saks locations in Canada are also thought to have suffered the breach.

The attackers are believed to have stolen the credit card information during nearly 12 months – from May 2017 to March 2018. The payment card details were pilfered through malicious software that, once installed on the cash register systems in the affected stores, funneled the card numbers to the gang.

“We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores. While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms, Hudson’s Bay, Home Outfitters, or HBC Europe,” reads the retailer’s statement.

The company also vowed to keep its customers updated as it learns more details about the breach and offered to provide free identity protection services for those affected.

A number of large retailers have suffered thefts of payment card data in recent years, including Home Depot in 2014 and Target in 2013.