Luxury retailer Neiman Marcus has revealed that a breach which led to customer payment cards being used for fraud after shopping in its stores was far worse than first revealed - with 1.1 million cards affected over several months, according to the New York Times.
In a statement, the chain said that, “It appears that the malware actively attempted to collect or "scrape" payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware.”
The chain also revealed that card issuers said that “at least 2,400" had been used fraudulently in the time since, adding “We deeply regret and are very sorry that some of our customers' payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information.”
The chain is offering all customers who shopped during the period a year of free credit monitoring and identity theft protection.
Expert advice from ESET security researcher Lysa Myers on how to defend against card fraud if you fear you may have used your card in stores affected by breaches can be found here.
Reuters report points out that while the numbers affected are smaller than those hit by the Target breach, the financial impact could be high, as the store’s wealthy clientele would tend to have high-limit cards. Reuters says that six retailers have fallen victim to similar breaches in recent months.
PC World says that social security numbers and birth dates were not among the data taken in the breach, and that it is still unknown whether the breach is connected to the one afflicting Target. “We have no knowledge of any connection to that situation,” the retailer said.
The breaches have led card issuers and banks to call for a replacement for the “hugely insecure” magnetic-stripe systems used by many U.S. banks, as reported by We Live Security here.