Neiman Marcus Downsizes Breach Estimate

Investigation Finds Far Fewer Payment Cards Compromised
Neiman Marcus Downsizes Breach Estimate

Neiman Marcus has revised downward its estimate of the number of payment cards compromised in its breach last year.

See Also: 2016 Annual Worldwide Infrastructure Security Update

An investigation has determined that the number of potentially affected credit and debit cards was about 350,000, down from the original estimate of 1.1 million (see: Neiman Marcus Reveals Breach Details).

The new details came to light in an updated statement from CEO Karen Katz posted to the company's website on Feb. 21.

"The number (of compromised cards) has decreased because the investigation has established that the malware was not operating at all our stores," Katz says in the statement.

The company did not immediately respond to a request for additional information.

New Details

Neiman Marcus says the window of time malware was collecting payment card data from its systems was from July 16 to Oct. 30, 2013.

Additionally, Visa, MasterCard and Discover notified the company that, to date, approximately 9,200 of the 350,000 compromised cards were subsequently used fraudulently elsewhere.

"Regardless of whether or not your card was affected, we have notified customers for whom we have mailing and/or e-mail addresses who shopped with us either in-store or online in 2013," Katz says.

The company also reiterated that 77 of its stores were impacted by the malware. "At these 77 stores, the malware was not operating at every register or every day during the July 16 - October 30 period," an FAQ on the company's site says.

Information on the number of stores affected was first revealed by Michael Kingston, the company's senior vice president and chief information officer, while testifying to Congress, along with Target Corp. executives, about the recent high-profile breaches at the retailers (see: Target, Neiman Marcus Differ on EMV).

Malware

The malware used in the Neiman Marcus breach is being described as "sophisticated" and "self-concealing," and was capable of obtaining payment card information, the FAQ says.

Additionally, other malware associated with the attack was found to be in Neiman Marcus' systems as early as March, although the company says that malware was not capable of scraping card data.

Nearly 60,000 alerts were set off by company systems as hackers were exfiltrating card data, according to a report from Businessweek. The information appears in a 157-page internal Neiman Marcus report dated Feb. 14, the publication reports. The report, Businessweek says, was prepared by Protiviti, a risk and advisory services firm.

Information in the internal report also suggests that the breaches at Neiman Marcus and Target may not be linked, according to Businessweek.

Aviv Raff of Israel-based Seculert, a cloud-based cybersecurity company, told Businessweek: "The code style and the modus operandi look totally different. The [Neiman Marcus] attackers were using a specific code for a specific network, and the way they were writing their code doesn't seem to be related to the way that the attackers on the Target breach were."


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network