When Did Neiman Marcus Breach Start?Issuers, Experts Question Timeline of Attack
Could the Neiman Marcus data breach, which may have exposed more than 1 million transactions, actually date back to last January?
The luxury retailer has acknowledged a point-of-sale breach that may have compromised debit and credit transactions dating back to July 2013. But card issuers question why the merchant now is offering free credit monitoring to all customers who shopped in its stores between January 2013 and January 2014 (see Neiman Marcus Reveals Breach Details).
"That appears to imply the activity may have been taking place before July 2013," says Mike Wyffels, senior vice president and chief technology officer of QCR Holdings, a bank holding company based in Iowa. "In short, there is quite a bit of speculation going on here. Lots of opinions and not enough facts. Everyone is starving for the latter, so more can be understood about the scope of the event and how it transpired."
In a statement issued Jan. 22, Neiman Marcus President and CEO Karen Katz said a network malware attack designed "to collect or scrape payment card data" had been identified by forensics investigators.
So far, the compromise is believed to affect transactions conducted between July 16 and Oct. 30 of last year, the company says. But Neiman Marcus also notes that the investigation is ongoing.
And while the retailer says its breach is not related to Target Corp.'s POS malware attack, financial fraud expert and Aite analyst Shirley Inscoe says the attacks seem too similar not to be connected.
"Both Target and Neiman Marcus have stated they detected malware that was planted in their systems to scrape data," she says. "It appears to me they were both victims of hackers who used advanced persistent threat attacks until they gained access, then planted this malware, unbeknownst to the companies. It scraped and collected the data over a period of months prior to being detected."
Neiman Marcus' revealed that it confirmed its breach Jan. 1, after a leading forensics firm notified it of a possible attack.
More Breached Retailers Expected
On Jan. 20, Andrew Komarov, CEO of the cybercrime intelligence firm IntelCrawler, told BankInfoSecurity the malware strain known as BlackPOS, or a variant of it, has been linked to at least six other retailers, beyond Target and Neiman Marcus.
"Most of the victims are department stores," Komarov writes in a Jan. 17 blog about recent malware attacks. "More BlackPOS infections, as well as new breaches, can appear very soon; retailers and security community should be prepared for them."
The names of the six other retailers were not revealed, but the IP addresses affected are based in Arizona, California, Colorado and New York, he says.
Inscoe says it's likely other retailers will soon make disclosures about similar attacks their payments networks and systems have suffered.
"The longer they wait, the more angry their customers should be that they sat on this knowledge without sharing it with potential victims," she says. "In retrospect, Target showed a lot of leadership in coming forward publicly, negatively impacting their holiday sales, while all the others have held back."
A malware attack this week has been linked to online transactions conducted through sports equipment company Easton-Bell Sports, according to a statement issued by the company Jan.21.
IntelCrawler says the Easton-Bell breach is not among the six other retailers it has linked to POS malware attacks similar those that breached Target and Neiman Marcus.
One executive with a card issuing institution in the Midwest, who asked not to be named, says retailers breached by the recent waves of malware attacks appear to be "covering themselves" by not disclosing their attacks immediately.
"I have heard several leads on the other six," but tracing the fraud back to common points of compromise is challenging, the executive says. "The FIs [financial institutions] are like deer in the woods at hunting time, hoping we go pick the right path - i.e., to reissue cards or not, or to lower limits or not."
Neiman Marcus Investigation
Neiman Marcus says its investigation has revealed that personally identifiable information, such as Social Security numbers and dates of birth, was not compromised. The retailer also notes that online purchases and PINs were not adversely affected by the breach, which is why the breach is believed to have only affected the POS network, spokeswoman Ginger Reeder says.
No fraudulent activity has yet been linked to Neiman Marcus or Bergdorf Goodman payment cards, the company adds. Bergdorf Goodman is a subsidiary of Neiman Marcus.