Neiman Marcus Hit by Breach, More Retailers Also Likely at Risk

This past holiday season, it wasn't just consumers who went shopping at major U.S. retailers. Neiman Marcus is the latest retailer to confirm it was a victim of a data breach.

U.S. retailer Target wasn't the only target of credit card thieves this past holiday season. Upscale retailer Neiman Marcus confirmed on Jan. 10 that it too was the victim of a data breach that saw customer credit card information stolen.

Neiman Marcus has not disclosed how many customer credit cards were stolen or how the breach occurred.

"The security of our customers' information is always a priority, and we sincerely regret any inconvenience," the official Neiman Marcus Twitter account stated on Jan. 11.

The retailer added in a follow-up tweet that it is taking steps to notify its customers whose credit cards were known be to be used fraudulently after purchasing goods at Neiman Marcus stores.

In a statement sent to media outlets, including blogger Brian Krebs, who broke the story, Neiman Marcus gives some guidance as to when the breach occurred.

"On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers' cards were possibly compromised as a result," Neiman Marcus stated. "We have begun to contain the intrusion and have taken significant steps to further enhance information security."

Daniel Ingevaldson, chief technology officer of payment fraud detection vendor Easy Solutions, blogged that his company saw 2 million high-value credit cards being dumped on the black market on Jan. 4.

"While we can't definitively say what the source of the breach was, the percentage of extremely high value cards is significantly higher than we see on average," Ingevaldson said. "While it is hard to determine from a single black market, this would indicate these could come from a high end source, such as Neiman Marcus."

Neiman Marcus is the second major U.S. retailer to disclose a security incident during the 2013 holiday season. On Dec. 19, Target disclosed that it had been the victim of a credit card data breach. Initially, Target estimated that 40 million customers were impacted by the breach, but it increased the number to 70 million on Jan. 10.

According to a report published by Reuters on Jan. 12, Neiman Marcus and Target are not alone, as other retailers were also breached over the 2013 holiday season. The Reuters report claims that three or more attacks on other popular U.S. retail chains also occurred, although they have yet to be publicly disclosed. The report also claims that the methods used in the attacks were similar to those used against Target.

That method allegedly is a technique known as RAM scraping, an approach that enables an attacker to grab information from the memory on point-of-sale (PoS) devices.

Attacks against PoS devices and payment terminals are not a new phenomenon. Multiple approaches to infecting PoS devices and payment terminals have been publicly demonstrated over the years at the Black Hat USA security conference in Las Vegas. In a 2012 session titled "Pinpadpwn," a pair of security researchers publicly demonstrated multiple vulnerabilities in payment terminals that enabled them to gain unauthorized access and control of the device.

In the Target breach, the retailer has admitted that customer PIN numbers were also stolen. Target has emphasized, however, that its PIN information was strongly encrypted, making it more difficult for an attacker to make use of debit card data.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.