1.1 Million Payment Cards Exposed In Neiman Marcus Data BreachDebit and credit card details 'scraped' during transactions in stores
Neiman Marcus today disclosed details of a data breach it suffered over a three-month period last year that resulted in the theft of 1.1 million customers' debit and credit cards. The attackers hacked into the high-end retailer's computer systems and planted malware that siphoned customer card information during transactions.
There is no indication thus far that customers who shopped online with Neiman Marcus were exposed in the hack, nor were customers' Social Security numbers and birth dates, Neiman Marcus Group president and CEO Karen Katz said in a letter on the retailer's website. Neiman Marcus and Bergdorf Goodman payment card accounts have not been seen being used fraudulently, she said.
"We deeply regret and are very sorry that some of our customers' payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information. We aim to protect your personal and financial information," Katz said.
PINs were not exposed because the retailer doesn't use PIN pads in its stores, according to the retailer. Visa, MasterCard, and Discover have notified Neiman Marcus that some 2,400 customer payment cards used for purchases in its Neiman Marcus and Last Call stores were used fraudulently.
"While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively attempted to collect or 'scrape' payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware," Katz said.
Neiman Marcus confirmed earlier this month that it had suffered a breach of customer payment cards, after Target announced it had been hit, but had not revealed further details on the extent of the breach until now. Target announced in late December that it had suffered a breach that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15, and this month revealed that names, mailing addresses, phone numbers, or email addresses for up to 70 million people also were stolen in the attack -- a number that may have some overlap with the payment card victims.
The FBI, meanwhile, has reportedly issued a warning to retailers to be ready for more attacks, after investigating some 20 breach cases in the past year that used the same type of malware used in the Target attack. This so-called "memory-parsing," or RAM-scraping, malware infects POS systems, such as cash registers and credit-card swiping equipment in stores.
The malware scrapes the payment card information from the computer memory when it's unencrypted.
"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," the FBI said in its report obtained by Reuters.
"The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors," the FBI said.
Meanwhile, Neiman Marcus says it has no "knowledge of any connection" to Target's data breach. The retailer said "a leading forensics firm" first found signs that Neiman Marcus had been breached, and an investigation is still in progress. The malware that was found has been "disabled," the company says.
Michael Sutton, vice president of security research at Zscaler, says it remains to be seen whether the Neiman Marcus breach is related to Target's. "While the method of infection appears similar, the time frames do not overlap, and the stolen data was not sent to the same location," he says.
"[I am] glad to see the disclosure by Neiman Marcus's chief executive. We have known for some time that several retailers have been breached by organized crime gangs using sophisticated malware specifically designed to run on point-of-sale machines to capture credit cards from retail in-store transactions," says Anup Ghosh, founder and CEO of Invincea. "While traditionally consumers and retailers have felt safer with 'card present' transactions, these breaches from 2013 now lay bare the false sense of security."
Rob Sadowski, director of technology solutions for RSA, says retailers will continue to get hit by sophisticated cybercriminals seeking payment card information. "This latest breach disclosure reinforces that merchants will continue to face attacks from sophisticated, determined cybercriminals seeking to compromise their customers’ payment card data. They are going after the biggest and highest profile targets because they know they can succeed," Sadowski says.
Most retailers don't have the ability to detect the attackers before they siphon the customer data, he says. "The length of time the attackers remained on the network without detection is evidence," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio