The bad news for shoppers continues as high-end retailer Neiman Marcus admitted over the weekend that thieves had accessed its systems and made unauthorized charges on customers’ credit cards over the holiday period, at roughly the same time as the vast data breach affecting mass market retailer Target.
While Target launched a PR campaign to win back the trust of shoppers, including the revelation that malicious software was likely involved in the theft of data on up to 110 million cards, there were fresh developments from the leading retail trade association, the National Retail Federation (NRF). As reported by Reuters, the organization called for stronger security for cards. Reuters is also reporting that three more retailers are affected by similar breaches, but did not name names.
ESET security researcher Lysa Myers has updated her advice for shoppers who fear they may have become victims of the Target or Neiman Marcus breaches, or any others that come to light in the near future.
Neiman Marcus was informed of its breach by its credit card processor, and is working with the U.S. secret service and forensics firms to uncover details of the attack, Yahoo! reported. Brian Krebs of Krebs on Security said that he had heard from “various sources” in the financial industry about fraudulent charges traced back to cards which had been used at Neiman Marcus. When Krebs contacted the retailer, they confirmed the breach.
The news follows further revelations of the scale of the data breach affecting Target, which has admitted that up to 110 million users may have been affected, and that more information may have been accessed than previously thought, as reported by We Live Security here.
It is not clear how many Neiman Marcus stores were affected, or how many customers have fallen victim, according to CNET, which points out that the attacks occurred at a similar time to the Target breach, and share at least one similarity - the affected shoppers appear to be those who shopped in-store, rather than online. As Krebs wrote, “The timing of the discovery of the Neiman Marcus incident--mid-December--roughly corresponds to the discovery of the Target breach.”
Neiman Marcus released an official statement, referring to card activity that occurred after users had purchased at its stores, saying, “We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation." The firm went on to stay
“On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cybersecurity intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security....The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.”