High-end department store Neiman Marcus said on Thursday that between July 16 and October 30, 2013, hackers using sneaky point-of-sale malware were able to obtain details of roughly 1,100,000 customer payment cards.
“While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system,” Karen Katz President and CEO of Neiman Marcus Group, wrote in letter to customers. “It appears that the malware actively attempted to collect or "scrape" payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware.”
So far, Visa, MasterCard and Discover told the retailer that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were used fraudulently.
Based on the investigation so far, social security numbers and birth dates were not compromised, the company said.
Neiman Marcus and Bergdorf Goodman cards have not seen any fraudulent activity, the company said, and online customers do not appear to have been affected.
Fortunately, Neiman Marcus does not use PIN pads its retail locations, so PINs are not at risk, unlike the recent data breach at Target.
It is not known if there is any connection between the Target and Neiman Marcus data breaches.
On Jan. 11, Neiman Marcus told SecurityWeek that they were informed by their credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at Neiman Marcus Group stores.
Since then, the company has remained silent on the issue.
According to Daniel Ingevaldson, CTO at Easy Solutions, some compromised card numbers taken from Neiman Marcus may have hit the cybercrime underground in early January.
"On Jan 4th, we saw a dump of 2 Million cards onto the black market - one of the largest single day drops we've seen in a while," Ingevaldson said after news of the breach was initally disclosed. "While we can't definitively say what the source of the breach was, the percentage of Extremely High Value cards is significantly higher than we see on average," he continued. "These are cards like the Amex Centurion card - an invite-only card that comes with a $7500 setup fee, and $2500 annual fee. While it is hard to determine from a single black market, this would indicate these could come from a high end source, such as Neiman Marcus."
News of the breach was initially reported by cybercrime researcher and blogger Brian Krebs. Krebs said he was informed by sources from the financial industry about fraudulent credit and debit card charges that were traced to cards that had been recently used at bricks-and-mortar Neiman Marcus locations.
The Neiman Marcus Group operates 41 Neiman Marcus branded stores, 2 Bergdorf Goodman stores, and 35 Last Call stores.
On Thursday afternoon, Reuters reported that the FBI has issued a warning to U.S. retailers, saying they should prepare for more cyber attacks after discovering about 20 cases over the past year that involved point of sale malware.
Related Analysis: How Cybercriminals Attacked Target