Attacks/Breaches
1/23/2014
07:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

1.1 Million Payment Cards Exposed In Neiman Marcus Data Breach

Debit and credit card details 'scraped' during transactions in stores

Neiman Marcus today disclosed details of a data breach it suffered over a three-month period last year that resulted in the theft of 1.1 million customers' debit and credit cards. The attackers hacked into the high-end retailer's computer systems and planted malware that siphoned customer card information during transactions.

There is no indication thus far that customers who shopped online with Neiman Marcus were exposed in the hack, nor were customers' Social Security numbers and birth dates, Neiman Marcus Group president and CEO Karen Katz said in a letter on the retailer's website. Neiman Marcus and Bergdorf Goodman payment card accounts have not been seen being used fraudulently, she said.

"We deeply regret and are very sorry that some of our customers' payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information. We aim to protect your personal and financial information," Katz said.

PINs were not exposed because the retailer doesn't use PIN pads in its stores, according to the retailer. Visa, MasterCard, and Discover have notified Neiman Marcus that some 2,400 customer payment cards used for purchases in its Neiman Marcus and Last Call stores were used fraudulently.

"While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively attempted to collect or 'scrape' payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware," Katz said.

Neiman Marcus confirmed earlier this month that it had suffered a breach of customer payment cards, after Target announced it had been hit, but had not revealed further details on the extent of the breach until now. Target announced in late December that it had suffered a breach that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15, and this month revealed that names, mailing addresses, phone numbers, or email addresses for up to 70 million people also were stolen in the attack -- a number that may have some overlap with the payment card victims.

The FBI, meanwhile, has reportedly issued a warning to retailers to be ready for more attacks, after investigating some 20 breach cases in the past year that used the same type of malware used in the Target attack. This so-called "memory-parsing," or RAM-scraping, malware infects POS systems, such as cash registers and credit-card swiping equipment in stores.

The malware scrapes the payment card information from the computer memory when it's unencrypted.

"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," the FBI said in its report obtained by Reuters.

"The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors," the FBI said.

Meanwhile, Neiman Marcus says it has no "knowledge of any connection" to Target's data breach. The retailer said "a leading forensics firm" first found signs that Neiman Marcus had been breached, and an investigation is still in progress. The malware that was found has been "disabled," the company says.

Michael Sutton, vice president of security research at Zscaler, says it remains to be seen whether the Neiman Marcus breach is related to Target's. "While the method of infection appears similar, the time frames do not overlap, and the stolen data was not sent to the same location," he says.

"[I am] glad to see the disclosure by Neiman Marcus's chief executive. We have known for some time that several retailers have been breached by organized crime gangs using sophisticated malware specifically designed to run on point-of-sale machines to capture credit cards from retail in-store transactions," says Anup Ghosh, founder and CEO of Invincea. "While traditionally consumers and retailers have felt safer with 'card present' transactions, these breaches from 2013 now lay bare the false sense of security."

Rob Sadowski, director of technology solutions for RSA, says retailers will continue to get hit by sophisticated cybercriminals seeking payment card information. "This latest breach disclosure reinforces that merchants will continue to face attacks from sophisticated, determined cybercriminals seeking to compromise their customers’ payment card data. They are going after the biggest and highest profile targets because they know they can succeed," Sadowski says.

Most retailers don't have the ability to detect the attackers before they siphon the customer data, he says. "The length of time the attackers remained on the network without detection is evidence," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?