Feeds

Hackers slurp credit card details from US luxury retailer Neiman Marcus

Meanwhile, 2 million 'high value' cards were just dumped on black market - fraud-watcher...

Security for virtualized datacentres

Upmarket US department store Neiman Marcus has been hit by hackers who broke into systems before lifting an as-yet-unspecified number of credit and debit card details.

Neiman Marcus confirmed a security breach in a series of updates to its official Twitter account and apologised, without detailing the extent of the problem or commenting on its possible cause.

"The security of our customers' information is always a priority and we sincerely regret any inconvenience," the retailer said, before adding "we are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores."

Neiman Marcus provided a longer statement to investigative journalist Brian Krebs, who first reported the breach.

Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorised payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensic firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result.

We have begun to contain the intrusion and have taken significant steps to further enhance information security.

The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.

Daniel Ingevaldson, CTO at fraud protection firm Easy Solutions, said fraud-watchers noticed a big dump of around two million high-value cards hitting the black market around the start of the year, something he theorised on Friday might have come from the Neiman Marcus breach.

"On Jan 4th, we saw a dump of 2 million cards onto the black market - one of the largest single day drops we've seen in a while. While we can't definitively say what the source of the breach was, the percentage of Extremely High Value cards is significantly higher than we see on average," Ingevaldson said in a blog post. "These are cards like the Amex Centurion card - an invite-only card that comes with a $7,500 setup fee and $2,500 annual fee. While it is hard to determine from a single black market, this would indicate these could come from a high end source, such as Neiman Marcus."

The latest attack against a high-profile US retailer dates from the middle of the Christmas shopping season, around the same time as a massive breach against US chain Target that resulted in the theft of 40 million credit and debit card records as well as 70 million sets of personal information.

Sources in the information security industry are telling El Reg that the Target breach involved installing malware on point-of-sale systems, a theory that's consistent with media statements by Target chief exec Gregg Steinhafel over the weekend.

Reuters reports investigators as saying that the Target and Neiman Marcus breaches have several features in common with each other – as well as with a series of hacks over the holiday season that also affected three other retailers in less significant breaches. The latter breaches are likely to become public over the next few days or so. Sources told the news agency that the as-yet-unidentified attackers used similar techniques and malware to siphon the data, prompting some to speculate that all of the incidents could be linked. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.