Neiman Marcus: 1.1 million cards compromised

Neiman Marcus: 1.1 million cards compromised

Summary: The retailer, however, said it has no knowledge of any connection between its data breach and the one disclosed by Target.

TOPICS: Security

Upscale retailer Neiman Marcus confirmed that it was a victim of a data breach and that 1.1 million customer payment cards were scraped for data.

In a notice on its Web site, Neiman Marcus said that malware was installed on its systems and attempted to collect payment card data from July 16 to Oct. 30.

More: Target's data breach: No, really. It gets even worse. | There's no hope for our payment systems | Target data breach part of broader organized attack | Most CEOs clueless about cyberattacks – and their response to incidents proves it

The news comes as payment systems are being examined for security at major retailers. First, Target came out with disclosures that as many as 110 million accounts may have been breached. Then Neiman Marcus surfaced as a victim in subsequent reports. Other retailers are also likely to come forward.

However, Neiman Marcus said it has no knowledge of any connection to the Target security issues. Neiman Marcus said it was informed by its merchant processor in mid-December about a potential breach.

Add it up, 1,100,000 customer cards were visible to the malware. Visa, MasterCard and Discover have told the retailer that 2,400 unique payment cards have been used fraudulently so fear.

The good news for Neiman Marcus customers is that so far social security numbers and birth dates weren't compromised, store issued cards haven't been breached and online shoppers aren't impacted.


More: Cisco's annual security report offers grim outlook for 2014 | Likely candidate for Target breach malware found | Target CEO promises cybersecurity education of the masses | Cisco on major retail hacks: Point-of-sale hardware is the problem | More retailers hit by security breaches; malware found on Target's POS machines | Target's data breach: It gets worse

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Retaliation for the Neiman Marcus Cookie Recipe spam

    of the 1990's??? Hehe...sorry, bad pun, but couldn't resist.
  • Why does a company need a customers...

    ...personal information? I see no reason for a retail company to have this information. I understand it may be required when applying for their store card. But once the card has been approved the information should be purged. Better yet it should never be processed by the retailer but merely forwarded to a third party who specializes in credit card processing.
    • Unfortunately,

      you cannot purge personal information for store issued cards. Accounting wouldn't okay this because of AR/collections.
      • That's not the point

        First of all, yes you can and still let Accounting have access, just keep in encrypted form in the Accounting system, we do. We also don't let our systems be accessible from the Internet. Internet access is segregated so that employees can access the Internet for what ever reason, such as email. The Internet never touches our Internal network. No confidential information is kept on the Internet segment.

        But that's not the point. The thieves aren't stealing the data from internal systems, they're stealing the data from the POS (Point Of Sale) registers. The very act of swiping the mag stripe or scanning the chip, the data are taken even before they get anywhere else in the store's systems. That is why the stores are saying that the on-line side is fine. So, if purged or not, that is irrelevant.

        Keep in mind that stores aren't the only places credit/debit card's data are compromised. Gas pumps that accept cards are also vulnerable. So, before you accuse any store of leaking data, you need to check where you've filled in gas but paid by card.
  • You know this looks like a job for bitcoin...

    Now if you you could have made these purchases with bitcoin instead of a credit card then there would be no information for them to compromise.
  • Easily infected

    Windows is too easy to infect and very hard to protect from infections. I worked for a bank before I retired and we didn't allow Windows applications in customer facing environments. Even then we had viruses come in through personal email accounts that were accessed from work.

    In addition, we blocked ALL external email accounts from any bank owned desktops or laptops by forcing the users to sign in to our VPN within 5 minutes of booting up or we disabled the WiFi adapter on their devices. Once signed in to the VPN, our firewall did the rest.

    Couldn't sit in Starbucks or the airport and read personal HotMail on company computers. In addition, we didn't support any form of BYOD within the company network.
  • social security numbers?

    Why would they have social security numbers?
  • Three and a half months?

    And they're just now getting around to realizing this?
    Chuck L