Pierluigi Paganini January 13, 2014

Neiman Marcus retailer confirmed a data breach, it is the second case in a few weeks after data breach at US retailer Target discovered Brian Krebs.

The high-end retailer Neiman Marcus confirmed a data breach that could represent a risk its customers, the incident occurs a few weeks after the clamorous data breach at US giant retailer Target. Neiman Marcus has 79 stores and reported total sales of $1.1 billion in the Q4 2013.

Also in this case the data breach at Neiman Marcus was first reported by cybersecurity expert Brian Krebs, the specialist confirmed a surge in fraudulent credit and debit charges on cards that had been used at Neiman Marcus stores.

“Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards.” reported Krebs.

Neiman Marcus revealed that its customers are at risk after hackers breached servers of the company and accessed the payment information of those who visited its stores.

The company is working to inform customers whose cards have been used for fraudulent purchases, but differently, from the case of retailer Target, the company hasn’t provided information on the nature of data leaked and on the number of customer records exposed.

Neiman Marcus spokesperson Ginger Reeder announced the company does not yet know the cause, size or duration of the data breach, she also added that there is no evidence of a possible impact on those shoppers who purchased from the online stores.

The entirety of the company’s formal statement is as follows:

“Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.

The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.”

Neiman Marcus was informed in mid-December by its credit card processor and subsequently reported the data breach to law enforcement.

The company apologized to its customers for the incident and confirmed that it is working to notify those whose cards were used fraudulently after visits to Neiman Marcus stores.

Cyber criminal activities are more frequent during the holiday season, experts hypothesized also a possible connection between this data breach and the one occurred to Target retailer.

“In the wake of the Target breach, customers, lawmakers and consumer advocates have stepped up calls for Congress to set guidelines on how merchants should protect consumer data. In a statement Friday, Sen. Edward J. Markey (D-Mass.) said that the Target breach illustrates a need for clear, strong privacy and security standards across all industries. When a number equal to nearly one-fourth of America’s population is affected by a data breach, it is a serious concern that must be addressed,” he said. reported the Washington Post.

Are Target and Neiman Marcus two isolated cases?

“Target Corp and Neiman Marcus are not the only U.S. retailers whose networks were breached over the holiday shopping season last year, according to sources familiar with attacks on other merchants that have yet to be publicly disclosed.” reported a post by Reuters.

According to the people familiar with the attacks other smaller breaches occurred on at least three other well-known U.S. retailers. The technique adopted by attackers is the same to the one against Target, those breaches have yet to come to light and rumors refer similar incidents may have occurred earlier last year.

There is the suspect the perpetrators may be the same as those who attacked Target retailer, likely the ring leaders are from Eastern Europe.

Security analysts expect an increment for illicit activities related to credit and debit card abuses, and they also sustain that it can be more difficult for retailers and credit card issuers to detect patterns of unusual spending.

Pierluigi Paganini

(Security Affairs –  Neiman Marcus, cybercrime)

[adrotate banner=”5″] [adrotate banner=”13″]