Hudson’s Bay Co., a Toronto-based department store operator, is investigating a data security breach which may have put millions of the department-store company’s customer payment cards at risk.

The retailer said on Monday it is looking into data security issues involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America.

According to security firm Gemini Advisory, details from more than 5 million credit and debit cards were stolen by a hacking syndicate, which is gradually putting them up for sale on the dark web.

The security firm stated that this is the handwork of JokerStash, infamous for its long streak of successful high-profile breaches, including Whole Foods, Chipotle, Omni Hotels & Resorts, Trump Hotels and others.

“Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores,” the security firm said.

The majority of stolen credit cards were obtained from New York and New Jersey locations. Customers who frequently shop at luxury retail chains like Saks Fifth Avenue are more likely to purchase high-ticket items regularly, making it easier for criminals to abuse stolen payment cards and remain undetected for a longer period of time.

Hudson Bay co. said it is coordinating with law enforcement authorities and the payment card companies, and data security investigators to get more information.