This is beginning to sound like a broken record. Krebs on Security is reporting that high end retailer Neiman Marcus is now publicly owning up to a credit card data breach. Like the Target data breach in which the data of up to 110 million users was stolen, the breach happened during the busy holiday shopping season. The big differences at the moment are that Neiman Marcus is not providing numbers of customers affected and also saying that they are in the process of containing the breach.
Below is the statement from Neiman Marcus:
“Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.
We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.
The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.”
The first take away from that statement is “we have begun to contain the intrusion.” I’m not sure if that is just bad PR writing or that means Neiman Marcus’ systems are still vulnerable. When news of the Target data breach occurred, Target was quick to point out that it had contained the breach. The second take away is that Neiman Marcus appears, as of the time of the statement, to only be notifying customers whose cards they knew had been fraudulently used. If you’re not sure of the size of a data theft and only contacting those who already had seen their cards used, that information seems somewhat contradictory.
Neiman Marcus is saying that this only affected customers shopping in its stores. Although initially Target made those same claims, but new information revealed yesterday included the possibility that online Target shoppers could have been affected as well.
The period in question appears to be mid-December, but even Neiman Marcus has released no hard date range as of yet. Keep in mind that companies affected by these sorts of attacks, along with the banks and insurance companies involved, are traditionally closed mouthed about details and information to limit liability and exposure. Or until the story becomes too big to contain. Target has been reasonably forthcoming on its situation up to this point, and one would reasonably expect further information from Neiman Marcus to its customers.
Neiman Marcus is working with the Secret Service and other law enforcement agencies along with forensic firms to determine the scope of the theft and the impact on its customers.
Security Week columnist Mike Lennon reports this on the story as well:
According to Daniel Ingevaldson, CTO at Easy Solutions, some of compromised card numbers taken from Neiman Marcus could have already hit the cybercrime underground.
“On Jan 4th, we saw a dump of 2 Million cards onto the black market – one of the largest single day drops we’ve seen in a while,” Ingevaldson said.
“While we can’t definitively say what the source of the breach was, the percentage of Extremely High Value cards is significantly higher than we see on average,” he continued. “These are cards like the Amex Centurion card – an invite-only card that comes with a $7500 setup fee, and $2500 annual fee. While it is hard to determine from a single black market, this would indicate these could come from a high end source, such as Neiman Marcus.”
Apparently the only thing that moves faster than this kind of bad news is a credit card thief.