Neiman Marcus Says More Than One Million Customers Affected by Data Breach

Chilling new information on the Neiman Marcus data breach was released late last night. In a letter to Senator Richard Blumenthal, the upscale retailer gave a wide-ranging account of the hack, which it described as highly sophisticated and difficult to trace. Malware used in the cyber-attacks appears to be almost identical to that found at Target, where more than 110 million customers had their credit card information stolen.

Neiman CIO Michael R. Kingston, who penned the letter, said the malware was installed by hackers as early as July, 2013, but the company did not become aware of it until December 13, when Visa identified a batch of fraudulent purchases linked to cards used at Neiman stores. 

Neiman then hired a forensics firm on December 20 and notified law enforcement on December 23. By January 1, the forensics firm found and identified the malware program, which it described as “Kaptoxa,” a variant of the “BlackPOS,” program used against Target. 

Neiman then waited until January 10 to notify customers of the breach, a decision which will no doubt be questioned by lawmakers. Neiman reps say the delay was due to the ongoing forensics investigation – executives wanted to get a better grip on the facts of the breach before disclosing the information to customers.

The data theft is certainly far more widespread and serious than Neiman Marcus brass originally indicated. Kingston says as many as 1.1 million credit and debit cards may have been compromised at Neiman, while 2,400 card numbers have already been used for fraudulent purchases.

According to Neiman, the investigation found that customers’ Social Security numbers and birth date information were not taken, which reduces the likelihood of widespread identity theft stemming from the breach. It is one piece of good news in an otherwise ugly episode for the retailer.

Karen Katz, Neiman’s CEO, says the company will offer one year of free credit monitoring to affected customers.

Security experts warn the odds of other retailers also being infected by the malware are high. Americans should carefully scrutinize their accounts in the coming months, even if they’ve never stepped foot in a Target or Neiman Marcus store.

Anup Ghosh, CEO of Invincea, the security firm, thinks retailers should publicize security breaches as soon as they become known. 

“All retailers should err on the side of disclosing all consumers that are potentially affected while at the same time disclosing fully what they know about the breach and how it happened,” Ghosh said.

Ghosh also says the ramifications of the Target and Neiman hacks will be far-reaching.

“The impact of the Target breach and other retailers in similar circumstances(and not yet fully disclosed) can have big effects on consumer confidence and impact the U.S. economy unless steps are taken to address this vulnerability immediately,” he said.