Last week, Hudson's Bay Company (HBC) reported subpar results for the final quarter of fiscal 2017. Comparable store sales fell 2.4% despite generally strong sales trends elsewhere in the retail industry. The Hudson's Bay chain and the upscale Saks Fifth Avenue chain both achieved comp sales increases, but this was offset by sharp declines for Lord & Taylor and the company's off-price brands.

In total, Hudson's Bay lost hundreds of millions of dollars last year and burned nearly 1 billion Canadian dollars of cash. The company recently hired retail veteran Helena Foulkes as its new CEO, with a mandate to turn the business around.

That task just became even harder. Over the weekend, Hudson's Bay disclosed a data breach that may have compromised millions of customers' credit card accounts across its Saks Fifth Avenue, Lord & Taylor, and Saks OFF 5TH chains.

Hudson's Bay gets hacked

A group known as the JokerStash Syndicate appears to have stolen information for more than 5 million credit cards by infiltrating the point-of-sale systems at dozens of stores spanning the Saks Fifth Avenue, Lord & Taylor, and Saks OFF 5TH brands. The group has started to sell the credit card information on the dark web in smaller batches.

The parking lot and exterior of a Lord & Taylor store

Credit card data was stolen from Lord & Taylor and two other Hudson's Bay chains. Image source: Author.

The JokerStash group has been behind several other credit card breaches over the past few years, including at Chipotle Mexican Grill. Upgrading to chip-based credit card systems (rather than magnetic strips) was supposed to improve data security, but that doesn't seem to have helped Hudson's Bay.

A costly error

The credit card hack is bound to hurt Hudson's Bay's efforts to return to profitability. First, there will be various direct costs of addressing the problem. The company has had to hire security experts to investigate the breach. It will also set up a dedicated call center to answer customers' questions and will pay for identity theft monitoring for all affected customers. Additionally, banks and credit card companies may impose fines to cover some of the cost of writing off fraudulent charges.

Indirect costs of the breach could be substantial, too. Chipotle Mexican Grill's management noted that customer traffic slowed somewhat after news of the company's credit card breach came out last spring. The damage at the restaurant chain highlights the vulnerability of merchants that are already facing sales pressure for other reasons.

Furthermore, Saks Fifth Avenue and Lord & Taylor both cater to wealthy customers and charge high prices. It would be reasonable for their customers to be less forgiving of a security breach than the average consumer.

Climbing uphill

The recent credit card breach at Saks Fifth Avenue, Lord & Taylor, and Saks OFF 5TH comes at a particularly inconvenient time. While Saks Fifth Avenue is benefiting from a rebound in luxury retail, the latter two brands have been floundering for several years. Foulkes is supposed to be evaluating those two parts of the business over the next several months to determine Hudson's Bay's next steps.

If customer traffic now takes a turn for the worse, it will be that much harder for Foulkes to find a way forward for these two struggling chains.

On the other hand, this incident could be the last straw that forces Hudson's Bay to make some tough choices. The recent divergence in performance between Saks Fifth Avenue and Lord & Taylor suggests that Hudson's Bay should consider consolidating its U.S. business under the Saks brand. This would require a painful restructuring -- many Lord & Taylor locations would need to be shuttered and sold, while others could be converted to Saks Fifth Avenue stores -- but it may offer the most viable path to long-term success.