Neiman Marcus Confirms Card BreachFraud Expert Warns of 'Widespread Targeted Attacks'
See Also: Proactive Malware Hunting
Neiman Marcus Group, a Dallas-based luxury retailer, has confirmed that it is working with the U.S. Secret Service to investigate a breach that allegedly occurred in December and may have involved the exposure of an unknown amount of customer payment cards.
This news comes only weeks after Target Corp. revealed that it was struck by a breach that may have exposed up to 40 million payment cards and personal data of up to 70 million customers (see Target Breach: New Questions Raised).
Timing Raises Questions
While there is no evidence of a direct link between the Neiman Marcus and Target breaches, the timing raises questions. Fraud expert Avivah Litan of Gartner believes U.S. retailers are under what she calls "widespread targeted attacks."
"I hear there are other retailers impacted by this latest round of malware, and that the malware was being tested at various other retailers before the Target breach," she said on Jan. 10, before the Neiman Marcus news broke. "I think there are widespread targeted attacks against the U.S. retailers - and certainly the bad guys are not just after card data, but any data they can get their hands on to perpetrate crimes."
Still, other experts say if additional retailers were attacked, the breaches don't appear to be linked.
John LaCour, CEO of online security firm PhishLabs, says news of breaches suffered by other retailers are only "rumors" at this point. And Andrew Komarov, CEO of the cybercrime intelligence firm IntelCrawler, says the Target and Neiman Marcus breaches appear to have been waged via two separate campaigns, although both were likely the result of malware that compromised point-of-sale systems.
Target has already confirmed its breach resulted from a POS attack.
Breach Discovered in December
Security blogger Brian Krebs, who broke the Target news, also was first to report the Neiman Marcus breach. In a statement provided to Information Security Media Group on Jan. 12, Neiman Marcus spokesperson Ginger Reeder says the retailer learned of the breach in mid-December, when its payments processor saw evidence of unauthorized payment activity by Neiman Marcus customers.
"We informed federal law enforcement agencies and are working actively with the U.S. Secret Service; the payment brands; our credit card processor; a leading investigations, intelligence and risk management firm; and a leading forensics firm to investigate the situation," Reeder says.
On New Year's day, the forensics firm found evidence that Neiman Marcus had suffered "a criminal cybersecurity intrusion, Reeder says, and that some customers' cards were possibly compromised as a result.
"We have begun to contain the intrusion and have taken significant steps to further enhance information security," Reeder adds.
Neiman Marcus is now notifying customers whose cards "were used fraudulently after making a purchase at our store," she says.
Neiman Marcus Group operates 41 Neiman Marcus stores across the U.S., as well as two Bergdorf Goodman stores and 36 Last Call clearance centers. As of early on Jan. 13, Neiman Marcus Group has posted no information about the breach on its corporate or retail websites, and there have been no public statements from president/CEO Karen Katz.
The company has taken to social media, though, using its Twitter feed to announce on Jan. 11: "We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores," and "The security of our customers' information is always a priority and we sincerely regret any inconvenience."
In response to Neiman Marcus, some customers expressed surprise and outrage.
"This happened in December and I'm hearing about it on Twitter?" said one customer, signing the tweet "#disappointed."
"This I getting so prevalent now!" tweeted another customer. "From Target to Neimans! I'm Paying Cash from Now On!"
There have been no formal announcements on the official Neiman Marcus Facebook page, but customers nonetheless are posting strong reactions.
"Bank of America just notified me and deactivated my debit card saying that my information was compromised," posted one customer. "Looks like I'll be shopping elsewhere from now on."
Waiting to Learn More
LaCour of PhishLabs says it likely will take time for Neiman Marcus to get to the bottom of the details surrounding its breach; but he hopes more information will be issued by the retailer soon. "Since Neiman Marcus was notified by card issuers of the breach in mid-December, the breach ... most likely occurred in November or early December," LaCour says. "Hopefully Neiman Marcus will explain what information was compromised and when so that their customers can determine if they are exposed - was it just card data or were customer names, addresses and e-mail addresses also stolen?"
Tom Field contributed to this report.