Saks has been hacked — adding to the already formidable challenges faced by the luxury retailer.

A well-known ring of cybercriminals has obtained more than five million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor, according to a cybersecurity research firm that specializes in tracking stolen financial data. The data, the firm said, appears to have been stolen using software that was implanted into the cash register systems at the stores and that siphoned card numbers until last month.

The Hudson’s Bay Company, the Canadian corporation that owns both retail chains, confirmed on Sunday that a breach had occurred.

“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America,” the company said in a statement. “We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Hudson’s Bay said that its investigation was continuing but that its e-commerce platforms appeared to have been unaffected by the breach. The company declined to identify how many customer accounts or stores were affected.