Saks Fifth Avenue and Lords & Taylor suffered a massive data breach in which over five million debit and credit cards were stolen from department store customers.

A cybersecurity research firm said it believed a notorious group of hackers obtained customers’ financial information by preying on outdated in-store credit card systems. The card numbers were collected from May 2017 until March this year from stores in New Jersey and New York.

Hudson’s Bay Company, which owns both retail chains, did not disclose the number of customers and stores that were impacted by the data breach. However, the company indicated plans to provide free identity protection to affected individuals.

Gemini Advisory, a cybersecurity research firm, said a ring of Russian-speaking cybercriminals called JokerStash was believed to be responsible for the Saks hack. The group is thought to have up to 2,000 members including software developers and money launderers.

Gemini Advisory said 125,000 of the five million stolen card numbers were on immediate sale online. The group stole customer payment data via phishing emails sent to Hudson’s Bay employees. Malware was used to access and gather information from computer networks.

Phishing is an effort to deceptively obtain people’s confidential information, such as their online login details or credit card numbers. Hackers send what appear to be genuine emails that urge employees to open a malicious link or attachment. Doing so installs software on the employee’s computer without their knowledge and provides hackers access to the system.

As phishing charges are serious, it is crucial to seek the guidance of a skilled defense attorney. Brill Legal Group is experienced at handling such cases and can help individuals accused of phishing and other internet crimes understand their legal options.