Neiman Marcus Downsizes Breach EstimateInvestigation Finds Far Fewer Payment Cards Compromised
Neiman Marcus has revised downward its estimate of the number of payment cards compromised in its breach last year.
See Also: 2016 State of Threat Intelligence Study
An investigation has determined that the number of potentially affected credit and debit cards was about 350,000, down from the original estimate of 1.1 million (see: Neiman Marcus Reveals Breach Details).
The new details came to light in an updated statement from CEO Karen Katz posted to the company's website on Feb. 21.
"The number (of compromised cards) has decreased because the investigation has established that the malware was not operating at all our stores," Katz says in the statement.
The company did not immediately respond to a request for additional information.
Additionally, Visa, MasterCard and Discover notified the company that, to date, approximately 9,200 of the 350,000 compromised cards were subsequently used fraudulently elsewhere.
"Regardless of whether or not your card was affected, we have notified customers for whom we have mailing and/or e-mail addresses who shopped with us either in-store or online in 2013," Katz says.
The company also reiterated that 77 of its stores were impacted by the malware. "At these 77 stores, the malware was not operating at every register or every day during the July 16 - October 30 period," an FAQ on the company's site says.
Information on the number of stores affected was first revealed by Michael Kingston, the company's senior vice president and chief information officer, while testifying to Congress, along with Target Corp. executives, about the recent high-profile breaches at the retailers (see: Target, Neiman Marcus Differ on EMV).
The malware used in the Neiman Marcus breach is being described as "sophisticated" and "self-concealing," and was capable of obtaining payment card information, the FAQ says.
Additionally, other malware associated with the attack was found to be in Neiman Marcus' systems as early as March, although the company says that malware was not capable of scraping card data.
Nearly 60,000 alerts were set off by company systems as hackers were exfiltrating card data, according to a report from Businessweek. The information appears in a 157-page internal Neiman Marcus report dated Feb. 14, the publication reports. The report, Businessweek says, was prepared by Protiviti, a risk and advisory services firm.
Information in the internal report also suggests that the breaches at Neiman Marcus and Target may not be linked, according to Businessweek.
Aviv Raff of Israel-based Seculert, a cloud-based cybersecurity company, told Businessweek: "The code style and the modus operandi look totally different. The [Neiman Marcus] attackers were using a specific code for a specific network, and the way they were writing their code doesn't seem to be related to the way that the attackers on the Target breach were."