Feeds

Hackers slurp credit card details from US luxury retailer Neiman Marcus

Meanwhile, 2 million 'high value' cards were just dumped on black market - fraud-watcher...

The Essential Guide to IT Transformation

Upmarket US department store Neiman Marcus has been hit by hackers who broke into systems before lifting an as-yet-unspecified number of credit and debit card details.

Neiman Marcus confirmed a security breach in a series of updates to its official Twitter account and apologised, without detailing the extent of the problem or commenting on its possible cause.

"The security of our customers' information is always a priority and we sincerely regret any inconvenience," the retailer said, before adding "we are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores."

Neiman Marcus provided a longer statement to investigative journalist Brian Krebs, who first reported the breach.

Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorised payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensic firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result.

We have begun to contain the intrusion and have taken significant steps to further enhance information security.

The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.

Daniel Ingevaldson, CTO at fraud protection firm Easy Solutions, said fraud-watchers noticed a big dump of around two million high-value cards hitting the black market around the start of the year, something he theorised on Friday might have come from the Neiman Marcus breach.

"On Jan 4th, we saw a dump of 2 million cards onto the black market - one of the largest single day drops we've seen in a while. While we can't definitively say what the source of the breach was, the percentage of Extremely High Value cards is significantly higher than we see on average," Ingevaldson said in a blog post. "These are cards like the Amex Centurion card - an invite-only card that comes with a $7,500 setup fee and $2,500 annual fee. While it is hard to determine from a single black market, this would indicate these could come from a high end source, such as Neiman Marcus."

The latest attack against a high-profile US retailer dates from the middle of the Christmas shopping season, around the same time as a massive breach against US chain Target that resulted in the theft of 40 million credit and debit card records as well as 70 million sets of personal information.

Sources in the information security industry are telling El Reg that the Target breach involved installing malware on point-of-sale systems, a theory that's consistent with media statements by Target chief exec Gregg Steinhafel over the weekend.

Reuters reports investigators as saying that the Target and Neiman Marcus breaches have several features in common with each other – as well as with a series of hacks over the holiday season that also affected three other retailers in less significant breaches. The latter breaches are likely to become public over the next few days or so. Sources told the news agency that the as-yet-unidentified attackers used similar techniques and malware to siphon the data, prompting some to speculate that all of the incidents could be linked. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.