Most of the affected stores are in New York state and New Jersey, although three Canadian stores (in Toronto, Brampton and Pickering) might have also been hit.

The parent of both retail brands, Canada's Hudson's Bay Company, confirmed the breaches and said it had "taken steps to contain" the hacks. Customers would get free credit monitoring and other identity protection services once there was "more clarity around the facts," HBC said. It's not clear what those security measures entail, however, and it's not certain that the hacks have come to an end. A spokesperson talking to Reuters declined to elaborate.

JokerStash, however, is well-known. The hacker outfit has been connected to a string of data breaches including Chipotle, Omni Hotels and Whole Foods. It has a pattern of dribbling out cards to both maximize their sale potential and to avoid tipping off bank investigators trying to pinpoint the source of a given breach.

News of the hacking comes at a particularly bad time. In March 2017, BuzzFeed News learned that Saks had been storing customer data (though not payment info) in plain text on its servers -- it's bound to be embarrassing for the retailer to suffer a more serious breach just over a year later, even though the two incidents aren't likely connected. HBC may need to bend over backwards to regain the trust of Saks shoppers who've been burned twice.