Upmarket US department store Neiman Marcus has been hit by hackers who broke into systems before lifting an as-yet-unspecified number of credit and debit card details.
Neiman Marcus confirmed a security breach in a series of updates to its official Twitter account and apologised, without detailing the extent of the problem or commenting on its possible cause.
"The security of our customers' information is always a priority and we sincerely regret any inconvenience," the retailer said, before adding "we are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores."
Neiman Marcus provided a longer statement to investigative journalist Brian Krebs, who first reported the breach.
Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorised payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.
We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensic firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result.
We have begun to contain the intrusion and have taken significant steps to further enhance information security.
The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.
Daniel Ingevaldson, CTO at fraud protection firm Easy Solutions, said fraud-watchers noticed a big dump of around two million high-value cards hitting the black market around the start of the year, something he theorised on Friday might have come from the Neiman Marcus breach.
"On Jan 4th, we saw a dump of 2 million cards onto the black market - one of the largest single day drops we've seen in a while. While we can't definitively say what the source of the breach was, the percentage of Extremely High Value cards is significantly higher than we see on average," Ingevaldson said in a blog post. "These are cards like the Amex Centurion card - an invite-only card that comes with a $7,500 setup fee and $2,500 annual fee. While it is hard to determine from a single black market, this would indicate these could come from a high end source, such as Neiman Marcus."
The latest attack against a high-profile US retailer dates from the middle of the Christmas shopping season, around the same time as a massive breach against US chain Target that resulted in the theft of 40 million credit and debit card records as well as 70 million sets of personal information.
Sources in the information security industry are telling El Reg that the Target breach involved installing malware on point-of-sale systems, a theory that's consistent with media statements by Target chief exec Gregg Steinhafel over the weekend.
Reuters reports investigators as saying that the Target and Neiman Marcus breaches have several features in common with each other – as well as with a series of hacks over the holiday season that also affected three other retailers in less significant breaches. The latter breaches are likely to become public over the next few days or so. Sources told the news agency that the as-yet-unidentified attackers used similar techniques and malware to siphon the data, prompting some to speculate that all of the incidents could be linked. ®