Even though it used security measures that exceeded industry recommendations, Neiman Marcus said it was not until six months after a malware had harvested payment card information from its customers that the high-end United States retail giant was able to detect the attack.
There are about 1.1 million unique payment cards used at all Neiman Marcus Group stores that could have been exposed to the attack. However, so far 2,400 cards have been fraudulently used after the attack, according to a letter by Michael Kingston, CIO of Neiman Marcus, to Sen. Richard Blumenthal, a Democrat from Connecticut who is demanding more details from the store and Target Corp. on how they have responded to recent data breaches in their businesses.
The Target breach is believed to have exposed some 40 million debit and credit card accounts.
Kingston said that their investigation indicates that a “scraping malware” had been harvesting customer payment card data from July 16, 2013 to October 30, 2013.
However, it was only on January 1st this year that Neiman Marcus learned that it had been attacked.
“As a result of the investigation we initiated, using two of the leading computer forensic investigative firms, we learned for the first time on January 1 2014 (preliminarily), and more concretely on January two and the days following, that sophisticated, self-concealing malware that can ‘scrape’ (fraudulently obtain) payment card information (‘the scraping malware) had been inserted into our system,” he wrote. “”We later learned that this malware had been inserted in our system as early as July 2013.”
The retailer’s first inkling that some wrong was going on was on December 13th, 2014 when its merchant processor reported that Visa has identified an unknown number of fraudulent purchases with cards that had been used at some stores. More reports of similar activities were sent by Visa and MasterCard in the following week. By December 20th, Neiman Marcus hired a forensics firm begin investigation and also alerted the federal law enforcement agency on December 23rd.
On January 2nd, the investigative firm told Neiman Marcus that the malware appeared to have the ability to covertly obtain credit card numbers. Neiman Marcus reported this to its merchant processors Visa, MasterCard and Discover the next day.
Kingston said the store’s system exceeds Payment Card Industry Data Security Standard (PCI-DSS) requirements. However, PCI-DSS does not require encryption of network traffic within a retailer.
Data cards used at Neiman Marcus pass through a point-of-sale device’s memory. Data is transmitted through an encrypted tunnel to a central point in the network, said Kingston.
The malware was able to defeat this system.
“The scraping malware was complex and its output encrypted,” Kingston said. “Over the next several days, the investigative firm worked to decrypt the output file by first reversing the malware to determine the encryption algorithm and then creating a script that employed the attacker’s algorithm to the encrypted data in order to decrypt it.”
On January 10th the store sent emails to the approximately 2,400 account holders affected and issued a statement stating that Neiman Marcus had suffered a “data security incident.”
On January 16, the company CEO Karen Katz issued a public letter on its Web site explaining that I had been a victim of an attack and told customers it would provide free credit card monitoring and identity theft insurance for one year to anyone who used any payment card to conduct business with the store during the past year.