Neiman Marcus has admitted that its breach may have affected around 1.1 million credit cards.
According to a statement by Neiman Marcus president and CEO Karen Katz, while it can confirm that social security numbers and birth dates were not compromised and its Neiman Marcus and Bergdorf Goodman cards have not seen any fraudulent activity, approximately 1,100,000 customer payment cards could have been potentially visible to the malware.
She confirmed that malware was installed on its system which collected payment card data from between 16th July and 30th October last year. “To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently,” she said.
Katz also confirmed that customers who shopped online do not appear to have been impacted, nor were PINs, as it does not use PIN pads in its stores.
“We deeply regret and are very sorry that some of our customers’ payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information. We aim to protect your personal and financial information. We want you always to feel confident shopping at Neiman Marcus, and your trust in us is our absolute priority,” she said.
Neiman Marcus said that it is still has no knowledge of a connection to the Target breach, and it is currently conducting a full review of all of its payment card information systems, reviewing its intrusion detection systems and firewalls, reinforcing security tools and reviewing and hardening its systems.
Tom Cross, director of security research at Lancope, said: “Other retail organisations have got to be asking themselves if their systems were also compromised, and how well prepared they are to respond in the event that this happens to them.
“Lancope recently commissioned a study by the Ponemon Institute on how well prepared IT organisations are to respond to cyber security incidents. What we learned is that senior executives are often in the dark – only 20 per cent of our survey respondents told us that their executives are frequently briefed on cyber security threats. This can translate into organisations being under-prepared, because the leadership team isn’t aware of the risks and therefore isn’t investing adequately in preparedness.
“Most of our respondents told us that investments in incident response preparedness have either declined or remained the same over the past 2 years, while the frequency of attacks has increased. Hopefully the news of these major retail compromises will serve as a wakeup call to senior executives that cyber security incidents can have significant consequences for their businesses and they need to be prepared.”