Attacks/Breaches
1/23/2014
07:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

1.1 Million Payment Cards Exposed In Neiman Marcus Data Breach

Debit and credit card details 'scraped' during transactions in stores

Neiman Marcus today disclosed details of a data breach it suffered over a three-month period last year that resulted in the theft of 1.1 million customers' debit and credit cards. The attackers hacked into the high-end retailer's computer systems and planted malware that siphoned customer card information during transactions.

There is no indication thus far that customers who shopped online with Neiman Marcus were exposed in the hack, nor were customers' Social Security numbers and birth dates, Neiman Marcus Group president and CEO Karen Katz said in a letter on the retailer's website. Neiman Marcus and Bergdorf Goodman payment card accounts have not been seen being used fraudulently, she said.

"We deeply regret and are very sorry that some of our customers' payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information. We aim to protect your personal and financial information," Katz said.

PINs were not exposed because the retailer doesn't use PIN pads in its stores, according to the retailer. Visa, MasterCard, and Discover have notified Neiman Marcus that some 2,400 customer payment cards used for purchases in its Neiman Marcus and Last Call stores were used fraudulently.

"While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively attempted to collect or 'scrape' payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware," Katz said.

Neiman Marcus confirmed earlier this month that it had suffered a breach of customer payment cards, after Target announced it had been hit, but had not revealed further details on the extent of the breach until now. Target announced in late December that it had suffered a breach that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15, and this month revealed that names, mailing addresses, phone numbers, or email addresses for up to 70 million people also were stolen in the attack -- a number that may have some overlap with the payment card victims.

The FBI, meanwhile, has reportedly issued a warning to retailers to be ready for more attacks, after investigating some 20 breach cases in the past year that used the same type of malware used in the Target attack. This so-called "memory-parsing," or RAM-scraping, malware infects POS systems, such as cash registers and credit-card swiping equipment in stores.

The malware scrapes the payment card information from the computer memory when it's unencrypted.

"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," the FBI said in its report obtained by Reuters.

"The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors," the FBI said.

Meanwhile, Neiman Marcus says it has no "knowledge of any connection" to Target's data breach. The retailer said "a leading forensics firm" first found signs that Neiman Marcus had been breached, and an investigation is still in progress. The malware that was found has been "disabled," the company says.

Michael Sutton, vice president of security research at Zscaler, says it remains to be seen whether the Neiman Marcus breach is related to Target's. "While the method of infection appears similar, the time frames do not overlap, and the stolen data was not sent to the same location," he says.

"[I am] glad to see the disclosure by Neiman Marcus's chief executive. We have known for some time that several retailers have been breached by organized crime gangs using sophisticated malware specifically designed to run on point-of-sale machines to capture credit cards from retail in-store transactions," says Anup Ghosh, founder and CEO of Invincea. "While traditionally consumers and retailers have felt safer with 'card present' transactions, these breaches from 2013 now lay bare the false sense of security."

Rob Sadowski, director of technology solutions for RSA, says retailers will continue to get hit by sophisticated cybercriminals seeking payment card information. "This latest breach disclosure reinforces that merchants will continue to face attacks from sophisticated, determined cybercriminals seeking to compromise their customers’ payment card data. They are going after the biggest and highest profile targets because they know they can succeed," Sadowski says.

Most retailers don't have the ability to detect the attackers before they siphon the customer data, he says. "The length of time the attackers remained on the network without detection is evidence," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.