It wasn’t nearly as bad as the Target breach, nevertheless Neiman Marcus is reporting 1.1 million debit and credit cards used in its retail stores were compromised in the recently-revealed 2013 security breach.
While the forensic and criminal investigations are ongoing, the luxury retailer has confirmed at least one point: malicious software, also known as malware, was clandestinely installed on its system. Neiman Marcus said it appears that the malware actively collected or "scraped" credit card data from July 16, 2013 to October 30, 2013.
“During those months, approximately 1.1 million customer payment cards could have potentially been visible to the malware,” the company said. “To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently.”
A Wakeup Call
We turned to Tom Cross, director of security research at network security firm Lancope, to get his take on the ongoing breach stories. He told us other retail organizations are probably asking themselves if their systems were also compromised, and how well prepared they are to respond in the event that this happens to them.
“Hopefully the news of these major retail compromises will serve as a wake-up call to senior executives that cybersecurity incidents can have significant consequences for their businesses and they need to be prepared,” Cross said.
Lancope recently commissioned a study by the Ponemon Institute on how well prepared IT organizations are to respond to cybersecurity incidents. Cross said Lancope learned that senior executives are often in the dark -- only 20 percent of survey respondents said their executives are frequently briefed on cybersecurity threats.
According to Cross, that can mean organizations are underprepared, because the leadership team isn't aware of the risks, and therefore isn't investing adequately in preparedness.
“Most of our respondents told us that investments in incident response preparedness have either declined or remained the same over the past two years, while the frequency of attacks has increased,” Cross said.
As for Neiman Marcus, the retailer said it appears that sophisticated, self-concealing malware, capable of fraudulently obtaining payment card information , was active on its networks. The company has so far acted responsibly in dealing with the issue, keeping customers informed and equipping them with solutions to help avoid loss.
“There are several other steps you can take if you are concerned about fraudulent activity,” the company said. “Check your statements to see if there is any fraudulent or suspicious activity. If there is any unauthorized activity, call your bank or financial institution in order to report the issue. Consumers may consider placing a fraud alert on their credit reports to help mitigate potential issues. To do this, you will need to contact one of the three credit reporting agencies.”