Sophos Cloud Optix
Dallas-based retail group Neiman Marcus confirmed on Saturday that its customers may be at risk after hackers breached its servers and accessed the payment information of store visitors.
The luxury merchant said that the security breach occurred in mid-December and that an undisclosed number of payment cards had been compromised.
The news comes not long after we learned that a similar breach at Target, also in mid-December, was far worse than first thought with more than 70,000,000 “guest records” snaffled, as well as 40,000,000 payment card records.
Neiman Marcus spokesperson, Ginger Reeder, said in an email on Saturday that:
Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.
We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.
The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.
Further details of the attack are few and far between at this point in time so it is hard to tell exactly what type of information has been stolen, or how many customers may potentially be at risk.
According to a report from Reuters Neiman Marcus and Target are not alone in being breached over the Christmas shopping period. While the news agency did not identify any other victims, it did say that at least three other retailers with brick and mortar outlets may have been compromised to a lesser degree.
Cyber criminals are always busy during the holiday season as consumers tend to spend a lot more money online, making it more difficult for credit card companies and retailers alike to spot unusual spending patterns.
The rise in data breaches is a concern that has grabbed the attention of lawmakers. US Congress is moving towards making notifications of data breaches a mandatory requirement.
In a statement on Friday, Democratic Senator Ed Markey said: “When a number equal to nearly one-fourth of America’s population is affected by a data breach, it is a serious concern that must be addressed,” adding that the recent breaches demonstrate a need for clear and strong privacy and security standards across all industries.
Image of Neiman Marcus shopfront courtesy of Wikimedia Commons.
It’s unfortunate, but yet for every big breach we hear about, there are 10+ more that you just never hear about. Rub shoulders enough with security guys and gals who do incident analysis, forensics, and whatnot, and you get to hear plenty of stuff covered by NDAs.
It doesn’t help that when someone does announce it, we rarely get enough detail to learn from it. Boo. It does fit SOP that Neiman Marcus didn’t notice this internally until an outside creditor let them know their flye way down.
Your story said 100 million payment card records for Target that is an error. It was only 40 million, you have a link …similar breach at target…. which explains the 100 million which is a WAG (wild assed guess) based on the 70 million guest records breached added to the 40 million payment card records.
Fixed, thanks. As you say (and as our other stories make clear), it’s 40,000,000 payment card records plus 70,000,000 “guest” records.
According to Target, and the facts so far add up IMO, we’re talking about two different “breaches within a breach,” so that although 110,000,000 database records were grabbed, the number of individuals affected is indeed likely to be lower than that. But it’s probably more than 70,000,000 because some of those “guests” have probably never bought anything from Target, let alone bought something during the danger period…