One month on from the data breach at Neiman Marcus, and Bloomberg Businessweek has reported that the attackers set off multiple alarms on a daily basis.
The hackers were able to move around the retailer’s network unhindered for more than 3 months, accessing the system over 60,000 times as they reloaded their software daily after it was automatically deleted from registers.
This action constantly tripped hundreds of alarms that were not detected by the Dallas-based retailer. The reason for this, according to Neiman Marcus spokeswoman Ginger Reeder, was that the hackers named their software in such a way that it appeared to be part of the company’s payment software, thereby ensuring that alerts would not stand out amongst the huge amount of data being reviewed by the firm’s security team.
These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day.
According to a 157-page report produced by consultancy Protivity, the company was in compliance with transaction data protection standards at the time of the attack.
Even so, Neiman’s security system flagged the attackers’ behaviour but it wasn’t able to identify that the code being used was malicious.
On a brighter note, however, the company has downgraded the estimated number of potentially compromised payment cards.
In a notice posted on its website on Friday the firm’s President and CEO, Karen Katz, said:
I reported last time that approximately 1,100,000 customer payment cards could have been potentially visible to the malware.
Our investigation has now determined that the number of potentially affected payments cards is lower - approximately 350,000. The number has decreased because the investigation has established that the malware was not operating at all our stores, nor was it operating every day in those affected stores.
The note also looks to reassure customers that no Social Security numbers or birth dates were compromised.
However, the number of affected cards that have subsequently been used fraudulently has increased from the initial estimate of 2,400:
Of the 350,000 payment cards that may have been affected by the malware in our system, Visa, MasterCard and Discover have notified us to date that approximately 9,200 of those were subsequently used fraudulently elsewhere.
Katz also said that Neiman Marcus’s own cards have not been used fraudulently and wrote that no online customers were impacted.
Additionally, she reported that no PINs were at risk since the company does not use PIN pads in its stores.
Image of security alert courtesy of Shutterstock.
2 comments on “Neiman Marcus hackers set off 60,000 alarms over 3 months”
Seems the headline may be misleading. From the original source article on Bloomberg it is not clear whether there were truly alarms or just log entries that did not trigger alerts. It’s an important distinction to those of us who seek to learn from things like this. It also makes it easy to feel we don’t need to try, by distorting the fault to make it seem more egregious. I’m disappointed that Sophos did not pick up on this and make the effort to find out the details.
So is transaction data protection standards supposed to be PCI DSS?