The attackers who penetrated the Neiman Marcus network last year were on the network for at least three months and made off with credit and debit card data belonging to 1.1 million customers. The company said that the data breach was the result of a compromise that began in mid-July and ran until the end of October.
A company statement said that Visa, MasterCard and Discover cards were affected, including debit cards, and that at least 2,400 cards have been used fraudulently at this point.
“While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively collected or “scraped” credit card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have potentially been visible to the malware. To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently,” the statement said.
The Neiman Marcus breach is about one-hundredth the magnitude of the Target data breach in terms of the number of cards that were affected, but signs point to similar attack vectors. Target officials have confirmed that malware was found on the company’s point-of-sale systems and the attackers were able to scrape card and PIN data from the terminals just before it was encrypted. Security researchers have said that the malware used in the Target attack appears to be a variant of the BlackPOS malware.
Neiman Marcus did not say specifically that POS malware was used in the intrusion on its network, but its statement points to a similar attack methodology. In an FAQ, the company said “Your PIN was never at risk because we do not use PIN pads in our stores.”
The company said that it is working with law enforcement and a forensics firm to investigate the intrusion on its network.
“We informed federal law enforcement agencies and began working actively with the U.S. Secret Service, the payment brands, our merchant processor, a leading investigations, intelligence and risk management firm, and a leading payment brand-approved forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. At this time, the malicious software we have found has been disabled,” the statement said.
Image from Flickr photos of Becky Mullane.