(Adds details from company statement, comments from cyber security experts)
TORONTO/NEW YORK, April 1 (Reuters) - Retailer Hudson's Bay Co on Sunday disclosed that it was the victim of a security breach that compromised data on payment cards used at Saks and Lord & Taylor stores in North America.
One cyber security firm said that it has evidence that millions of cards may have been compromised, which would make the breach one of the largest involving payment cards over the past year, but added that it was too soon to confirm whether that was the case.
Toronto-based Hudson's Bay said in a statement that it had "taken steps to contain" the breach but did not say it had succeeded in confirming that its network was secure. It also did not say when the breach had begun or how many payment card numbers were taken.
Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring, the statement said.
A company spokeswoman declined to elaborate.
Hudson's Bay disclosed the incident after New York-based cyber security firm Gemini Advisory reported on its blog that Saks and Lord & Taylor had been hacked by a well-known criminal group known as JokerStash.
JokerStash, which sells stolen data on the criminal underground, on Wednesday said that it planned to release more than 5 million stolen credit cards, according to Gemini Chief Technology Officer Dmitry Chorine.
The hacking group has so far released about 125,000 payment cards, about 75 percent of which appear to have been taken from the Hudson's Bay units, Chorine told Reuters by telephone.
The bulk of the 5 million card numbers that JokerStash said it plans to release are likely from Saks and Lord & Taylor, but it is too early to say for sure, Chorine said.
"Its hard to assess at the moment, primarily because hackers have not released the entire cards in one batch," he told Reuters.
Alex Holden, chief information security officer with cyber security firm Hold Security, confirmed that the 125,000 cards had been released by JokerStash but said it was too soon to estimate how many had been taken from Hudson's Bay.
Affected stores include Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor, according to Hudson's Bay.
There is no indication the breach involved online sales of those stores or its Hudsons Bay, Home Outfitters and HBC Europe units, the company said.
The company said that customers will not be liable for fraudulent charges resulting from the breach.
(Reporting by Jim Finkle in Toronto and David Henry in New York Editing by Bill Rigby and Steve Orlofsky)