Neiman Marcus says more than 1 million cards hacked
Luxury retailer Neiman Marcus said that malware had been installed in its system and had pulled payment data off cards used from July 16 to Oct. 30.
The New York Times
The theft of consumer data from Neiman Marcus appears far deeper than had been disclosed originally, with the company now saying that hackers invaded the luxury retailer’s systems for several months in a breach that involved at least 1.1 million credit and debit cards.
In a statement posted on its website Wednesday night, Neiman Marcus said that malware had been installed in its system and had pulled payment data off cards used from July 16 to Oct. 30. MasterCard, Visa and Discover have told the company that about 2,400 cards used at Neiman Marcus and its Last Call outlet stores have since been used fraudulently.
Federal investigators, including the Secret Service and the FBI, have been trying to determine whether the extensive security breach at Target and the one at Neiman’s are related. Investigators and security experts have described a loose band of hackers from Eastern Europe as the likeliest suspects in the Target theft. Security experts working with the authorities have said that the hackers were eyeing several major retailers as potential targets.
Neiman Marcus Group, which also own Bergdorf Goodman, said it would notify all customers who shopped in those stores between January 2013 and January 2014 — and for whom the company has a mailing or email address. They also said they would offer one free year of credit monitoring to all of those shoppers.
The company was first told that there may have been a breach in mid-December, when its payment processor said unauthorized charges were turning up on cards that had been used at Neiman Marcus Group stores. The company informed federal law enforcement, and a forensic investigation found evidence of the breach Jan. 1, Neiman said.
The week before Christmas, Target announced that 40 million of its customers had had their credit- and debit-card information compromised. Those customers shopped in its stores between Nov. 27 and Dec. 15. Then in January, Target said that another batch of data, personal information such as addresses and phone numbers, had been compromised — leaving a group of 70 million of its customers exposed.
At Target, malware installed on point-of-sale systems snatched customer data off the cards’ magnetic strip, and then covered its own tracks by immediately deleting the file where the data had been stored, according to people with knowledge of the investigation.
Neiman said it had no knowledge of a connection between the two attacks. Social Security numbers, PIN data and birth dates were not compromised, the company said.
“Our goal is to do everything possible to restore your trust and to earn your loyalty,” said Karen Katz, chief executive of Neiman Marcus Group, on the company’s website.