Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/23/2014
07:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

1.1 Million Payment Cards Exposed In Neiman Marcus Data Breach

Debit and credit card details 'scraped' during transactions in stores

Neiman Marcus today disclosed details of a data breach it suffered over a three-month period last year that resulted in the theft of 1.1 million customers' debit and credit cards. The attackers hacked into the high-end retailer's computer systems and planted malware that siphoned customer card information during transactions.

There is no indication thus far that customers who shopped online with Neiman Marcus were exposed in the hack, nor were customers' Social Security numbers and birth dates, Neiman Marcus Group president and CEO Karen Katz said in a letter on the retailer's website. Neiman Marcus and Bergdorf Goodman payment card accounts have not been seen being used fraudulently, she said.

"We deeply regret and are very sorry that some of our customers' payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information. We aim to protect your personal and financial information," Katz said.

PINs were not exposed because the retailer doesn't use PIN pads in its stores, according to the retailer. Visa, MasterCard, and Discover have notified Neiman Marcus that some 2,400 customer payment cards used for purchases in its Neiman Marcus and Last Call stores were used fraudulently.

"While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively attempted to collect or 'scrape' payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware," Katz said.

Neiman Marcus confirmed earlier this month that it had suffered a breach of customer payment cards, after Target announced it had been hit, but had not revealed further details on the extent of the breach until now. Target announced in late December that it had suffered a breach that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15, and this month revealed that names, mailing addresses, phone numbers, or email addresses for up to 70 million people also were stolen in the attack -- a number that may have some overlap with the payment card victims.

The FBI, meanwhile, has reportedly issued a warning to retailers to be ready for more attacks, after investigating some 20 breach cases in the past year that used the same type of malware used in the Target attack. This so-called "memory-parsing," or RAM-scraping, malware infects POS systems, such as cash registers and credit-card swiping equipment in stores.

The malware scrapes the payment card information from the computer memory when it's unencrypted.

"We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," the FBI said in its report obtained by Reuters.

"The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors," the FBI said.

Meanwhile, Neiman Marcus says it has no "knowledge of any connection" to Target's data breach. The retailer said "a leading forensics firm" first found signs that Neiman Marcus had been breached, and an investigation is still in progress. The malware that was found has been "disabled," the company says.

Michael Sutton, vice president of security research at Zscaler, says it remains to be seen whether the Neiman Marcus breach is related to Target's. "While the method of infection appears similar, the time frames do not overlap, and the stolen data was not sent to the same location," he says.

"[I am] glad to see the disclosure by Neiman Marcus's chief executive. We have known for some time that several retailers have been breached by organized crime gangs using sophisticated malware specifically designed to run on point-of-sale machines to capture credit cards from retail in-store transactions," says Anup Ghosh, founder and CEO of Invincea. "While traditionally consumers and retailers have felt safer with 'card present' transactions, these breaches from 2013 now lay bare the false sense of security."

Rob Sadowski, director of technology solutions for RSA, says retailers will continue to get hit by sophisticated cybercriminals seeking payment card information. "This latest breach disclosure reinforces that merchants will continue to face attacks from sophisticated, determined cybercriminals seeking to compromise their customers’ payment card data. They are going after the biggest and highest profile targets because they know they can succeed," Sadowski says.

Most retailers don't have the ability to detect the attackers before they siphon the customer data, he says. "The length of time the attackers remained on the network without detection is evidence," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13386
PUBLISHED: 2020-05-27
In SmartDraw 2020 27.0.0.0, the installer gives inherited write permissions to the Authenticated Users group on the SmartDraw 2020 installation folder. Additionally, when the product is installed, two scheduled tasks are created on the machine, SDMsgUpdate (Local) and SDMsgUpdate (TE). The scheduled...
CVE-2019-20806
PUBLISHED: 2020-05-27
An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.