Neiman Marcus has announced that some 1.1-million customer credit and debit cards may have been exposed in a hack attack. The retailer was first alerted to the intrusion at the beginning of the year by a security researcher.
It appears that “sophisticated, self-concealing malware” able to obtain payment card information was active in the company’s systems between July 16 and Oct. 30, 2013, CEO Karen Katz said.
The investigation is still under way, but to date Neiman Marcus has determined that Social Security numbers and birth dates were not compromised. There’s been no sign of fraudulent activity connected with the Neiman Marcus and Bergdorf Goodman cards. Online shoppers have not been impacted, and PIN pads are not used in Neiman Marcus retail stores.
The Neiman Marcus attack follows Target’s recent massive data breach. Target’s CFO is scheduled to testify before the U.S. Senate Judiciary Committee about the intrusion on Feb. 4.
The retail industry had better get used to these stepped-up tactics by cybercriminals, said Steve Durbin, global vice president of the Information Security Forum.
“There’s little chance that this threat will diminish, and more targeted attacks will make it difficult to track, analyze and protect against them,” he told the E-Commerce Times.
In fact, the odds are very good that other retailers also have been compromised — they just don’t know it yet, said Ken Westin, a security researcher at Tripwire.
“We are seeing some similarities in the tools used in the attack and some commonalities in the infrastructures within both organizations,” he told the E-Commerce Times.
Some differences between the two events also are evident, noted Tim Erlin, director of IT risk and security strategy at Tripwire.
“One stark difference is the method of discovery,” he told the E-Commerce Times. “At Target, they found the breach themselves, but Neiman Marcus had no idea that they were compromised until its payment processor alerted them to a pattern of fraud on cards used at their stores.”
The scale is different as well, with only 1 million cards being compromised at Neiman Marcus. The Target breach exposed 40 million debit and credit cards, as well as 70 million other customer records.
“We should, however, note that both incidents started with a small disclosure that expanded as investigators learned more,” said Erlin. “It’s quite possible that there is more to learn about the scope of the Neiman Marcus breach as well.”
Neiman Marcus’ Response
Neiman Marcus so far is following the expected playbook for a response to a data breach, observed Mark Stanislav, security evangelist at Duo Security.
“Neiman Marcus has offered both credit monitoring and identity theft protection services to potentially affected customers,” he said. “Even though Neiman Marcus believes that only cards used during about a three-month period of the year were at risk, they’ve extended these services to all of their 2013 customers,” he told the E-Commerce Times.
It would be helpful, he added, if the retailers experiencing these breaches would release comprehensive reports on their findings to better guide information security programs as they try to prevent future compromises.
That said, Stanislav is not anticipating wave after repeated wave of hack attacks against retailers.
“While it’s certainly unsettling to have two big-name retailers compromised in such a small time frame, it’s not necessarily indicative of a larger problem beyond standard worries retailers face every day,” he said. “Hopefully what we’ll see is that between forensics, FBI involvement, and a renewed sense of focus by the payment card industry, better security controls will be put in place to help prevent future breaches.”