Neiman Marcus President and CEO Karen Katz has formally apologised in a letter to customers.
Saying that the group deeply regrets the incident and it was “very sorry that some of our customers’ payment cards were used fraudulently” and that it “remains steadfast in our commitment to delivering exceptional customer service”.
Its continuing forensic investigation found the intrusion on the 1st January after it was informed of potentially unauthorised payment card activity which occurred following customer purchases at stores in mid-December.
Katz said: “We have taken and are continuing to take a number of steps to contain the situation, and to help prevent an unlawful intrusion like this from happening again. Actions we have taken include working with federal law enforcement, disabling the malware we have found, enhancing our security tools, and assessing and reinforcing our related payment card systems in light of this new threat.
“Thank you for your patience, your trust in us, and your business as we deal with this unfortunate and regrettable intrusion.”
According to reports, the breach went undetected from July until the first signs were spotted in December. Neiman Marcus has not publicly given any estimate of how many credit card numbers were stolen, or how many customers were affected.
Commenting, Mark Bower, VP of product management at Voltage Security, said: “The industry has to understand that incomplete approaches to protecting data, that leave it exposed at some vulnerable point in its life, will result in a breach. It’s merely a matter of time. Traditional defences leave too many exploitable gaps that present an opportunity for compromise.
“Retail systems and e-commerce systems are 24/7 platforms – so data is at risk after capture, in flight, in use and in active storage. Until the magnetic strip credit card system and static credit card data is replaced, which is a long way off, retail payment protection has to be about the full lifecycle of the credit and debit card data from the instant it is captured to its hand-off to the card brands.”