Update: Neiman-Marcus reports breach involved two related malware insertions

In a letter dated January 25 to the New Hampshire Attorney General’s Office, retailer Neiman-Marcus disclosed some additional details concerning the breach and their attempts to address consumer concerns.

As previously reported, in mid-December, Neiman-Marcus learned from its merchant processor of unauthorized payment card activity following purchases at Neiman-Marcus stores. On January 1, Neiman-Marcus learned, preliminarily, that “scraping” malware had been inserted in their system.  They later learned, as they have also previously disclosed, that the malware had been inserted in their system as early as July 2013.

What investigators just discovered more recently, however,  is that separate but related malware that allowed the scraping malware to function had been inserted earlier in 2013. Neiman-Marcus did not specify exactly when that malware was inserted.  Investigators also determined that the scraping malware was not operating at all Neiman-Marcus stores and even for those where it was operating, it did not operate every day between July 16 and October 30.

Based on current information, Neiman-Marcus believes that name and Track One information were involved, but not other types of information. They do not use PIN pads in their stores, either.

For the 2400 cards that were linked to fraudulent purchases, Neiman-Marcus says it has postal addresses for 71% of them, but because they do not know whether those same cards were involved in other retailers’ recent breaches, they cannot be sure whether their breach was the source of the card information used for fraudulent purchases.  For the broader population of 1.1 million card numbers, Neiman-Marcus does not have addressed for 31%, which is why it has resorted to public notices and e-mails for those for whom they have e-mail addresses.

Although some media sources have questioned whether the breach occurred earlier than July 16 because Neiman-Marcus is offering free credit monitoring to all customers who shopped between January 1, 2013 and January 22, 2014, Tracy M. Preston, Senior Vice-President and General Counsel, explains that they are using a larger window “in an abundance of caution in light of the uncertainty at this state of the investigation.”

“Fundamentally, our goal is to communicate to all our customers that taking care of them is and always has been our top concern,” writes Ms. Preston.

About the author: Dissent

Comments are closed.