Neiman Marcus Credit Card Breach: A Prelude to Target's?
Neiman Marcus has finally disclosed how many of its customers have been affected by a security breach that it previously disclosed to the public. About 1.1 million customers, according to the high end retail store, have been affected over the last three months by a security breach that has also affected Target and other big retailers.
After Target, Neiman Marcus, and reportedly four other retailers in the U.S., have been hacked by a credit-card transaction hack. Neiman Marcus came forward on Thursday to tell the scope of its data breach.
The upscale retailer's statement discloses that indeed the malware attack was similar to the Target credit card data breach, which occurred during the height of the holiday shopping season. Neiman Marcus's data breach, however, occurred for a longer period than Target's, but also took place far earlier and, overall, was much smaller in scope.
The data breach occurred over about three months, in which approximately 1.1 million customers' credit cards were exposed to the credit card information-stealing malware. Anyone who shopped at an actual Neiman Marcus store between the dates of Jul. 16, 2013 to Oct. 30, 2013 is at risk -- which predates Target's breach by months. Anyone who shopped online, just like in Target's case, is okay.
According to Neiman Marcus, only 2,400 unique customer payment cards used at Neiman Marcus, and its subsidiary Last Call, have been reported as being used fraudulently by major credit card companies Visa, MasterCard and Discover. However, the retailer is in the process of notifying all of its customers, for which it has contact information or an address, who shopped at Neiman Marcus between January 2013 and January 2014.
However, the overall impact of the Neiman Marcus breach is much less than the Target data breach, which exposed information about over 40 million credit and debit cards to potential fraud -- including card numbers, PIN numbers, and security codes (from the back of cards), but also exposed 70 million encrypted PINs, names, addresses, phone numbers, and email addresses as well.
Neiman Marcus says social security numbers, birth dates, and PINs were not taken, since the retailer doesn't use PIN pads in their stores. In addition, Neiman Marcus says its own store cards as well as Bergdorf Goodman cards have not seen any fraudulent activity.
Neiman Marcus: A Test Before Target?
Neiman Marcus also says forensic and criminal investigations into the malware that was "clandestinely installed" in the company's credit card system are ongoing. They do know that the malware "actively attempted to collect or 'scrape' payment card data," which is the same software modus operandus (and term used) for the virus described by Target and security researchers who have traced the malware back to Russia.
If it's the same malware as Target's breach, the malware is called BlackPOS (point of sale), and it stems back to a St. Petersburg, Russia-based hacker who will turn 18 years old this year. Called "Ree4" as his online alias, the Russian hacker pieced together some standard malware code from various underground cybercrime sites to create BlackPOS -- which is a "RAM scraper" (hence Neiman Marcus's use of the verb "scrape") that captures data as it travels through computer systems' live memory, or RAM, where the data is unencrypted and unsecured, in plain text. Ree4 reportedly sold his malware to a pack of Eastern European cybercriminals for either $2,000 or a 50 percent cut of the profits. Investigations are ongoing, though, so more details on the origin of the hacks and the malware -- as well as identities of the four other suspected retails who fell victim to it -- will be forthcoming in time.