Neiman Marcus Data Breach FAQ: What to Do Now
A Neiman Marcus store in Newport Beach, Calif., Dec. 2013. Credit: Nandaro/Creative Commons
UPDATED Jan. 31 with additional information from the FBI.
Retailer Neiman Marcus has admitted that financial information from 1.1 million credit and debit cards used at the company's U.S. retail locations between July 16 and Oct. 30, 2013, may have been stolen by criminals.
Other questions have yet to be answered, such as whether the Neiman Marcus attack was related to the Target data breach or who was responsible for the theft.
Here's what we know so far, and what you should do if you think you have been affected.
What is a data breach?
Many companies, organizations and websites store sensitive data about their users, members and customers. The data can range from simple username/password combinations to credit-card or Social Security numbers.
A data breach occurs when sensitive data leaks out of its protected space, either by accident or deliberately. In the cases of the recent Target and Neiman Marcus data breaches, attackers compromised the protection around the data.
What happened at Neiman Marcus?
"We know that malicious software (malware) was clandestinely installed on our system," Neiman Marcus President and CEO Karen Katz said in a letter to customers posted on the company's website Jan. 22. "It appears that the malware actively attempted to collect or 'scrape' payment-card data."
Katz characterizes the malware as "sophisticated" and "self-concealing." A letter from the company to Sen. Richard Blumenthal, D.-Conn., says "the scraping malware was complex and its output encrypted," and that it was introduced into Neiman Marcus' system as early as July 2013.
Beyond that, Neiman Marcus has not said exactly what kind of malware infected its computer systems, how it got in and what kind of devices it affected. Sources told The New York Times that it was similar to the malware that later hit Target.
In Target's case, the malware was a special type of Trojan called a RAM scraper, which infected the point-of-sale (POS) devices in Target's U.S. stores. When a credit or debit card is swiped in a POS device, RAM-scraping malware captures the data from the card's magnetic stripe as the data passes through the device's memory, or RAM.
Neiman Marcus has not said what part of its system was infected, or whether POS malware was involved.
Katz said that, according to Neiman Marcus' investigation, approximately 1.1 million credit and debit cards may have been exposed to the malware between July 16 and Oct. 30, 2013.
Katz also said that Visa, MasterCard and Discover had detected that 2,400 credit cards used at Neiman Marcus within that time frame were subsequently used for fraudulent purposes. She added that there had been no fraudulent activity reported on American Express cards or on own in-house Neiman Marcus and Bergdorf Goodman credit cards.
What kind of information was compromised?
Neiman Marcus has not specified exactly what information was taken from the compromised cards, but in most cases involving cards used at a retail stores, the compromised data consists of "track data" stored on the magnetic stripe on the back of a credit or debit card.
Because track data does not include the three- or four-digit card verification code printed on the card, the stolen information often can't be used to make online purchases. However, criminals can copy track data onto a blank card to create a "clone" of the original credit or debit card, and then use the clone to make fraudulent purchases.
According to Neiman Marcus, people who shopped on the store's website were not affected by the data breach. The company also says debit-card PINs were not compromised because Neiman Marcus does not use PIN pads. (At Target, PIN data was stolen, but in strongly encrypted form that thieves may have difficulty cracking.)
It's possible that customers' personal information — such as addresses, telephone numbers and email addresses — was also compromised, but that information isn't stored on credit cards.
Neiman Marcus' offer of free identity-theft protection (as opposed to credit alerts) may indicate that personal data was affected, but it could also be just a public-relations move.
In her letter, Katz said that birth dates — and, more importantly, Social Security numbers — were not compromised.
In the Target breach, 70 million customer records consisting of individual names, mailing addresses, phone numbers and email addresses were stolen, but that data was probably held separately from the 40 million credit- and debit-card accounts that were also stolen.
Stolen personal information, which can be used to open new lines of credit under the victim's name, may be more financially damaging than stolen credit and debit card numbers, which are quickly frozen after a theft is discovered.
Is this related to the Target data breach?
It's not yet clear whether the Neiman Marcus and Target data breaches are related. The Target data breach occurred between Thanksgiving and Christmas 2013 and came to light on Dec. 18.
The Neiman Marcus breach began as early as July 2013 and continued through October 2013, but news of the Neiman Marcus breach broke on Jan. 10. Both breaches were first revealed by independent security blogger Brian Krebs.
Later in January, anonymous sources told Reuters that the Target and Neiman Marcus attacks may have been carried out by the same group, and that three other yet-unnamed U.S. retail stores may have been involved. (On Friday, Jan. 24, Krebs revealed that nationwide art-supply chain Michaels had also suffered a data breach — its second in three years.)
The malware used in the Target breach appears to have been a modified version of BlackPOS, a piece of RAM-scraping malware sold on black-market websites since March 2013. Some sources said it was specially crafted for Target's POS devices, which run Target's own in-house software.
It's possible that the malware used in the Neiman Marcus attack is closely related, but that doesn't mean it was used by the same attackers who hit Target. Malware writers often don't take part in actual cyberattacks, but instead sell copies of their creations to multiple criminal groups.
(Update: In a private notification to retailers Jan. 17 about point-of-sale malware, the FBI said "an inordinate amount of premier, high-limit credit accounts" were among a batch of stolen cards posted to cybercrime online forums on Jan. 4. The FBI did not identify the source of the cards, but the timing implies a connection to the Neiman Marcus breach.)
Have I been affected?
If you have been affected by the breach, and Neiman Marcus has your email address or phone number in its records, the company should have contacted you already. Your credit-card issuer may have contacted you separately.
If no one has contacted you, check your financial records to see if you shopped in a Neiman Marcus store between July and October 2013.
What should I do if I've been affected?
Contact your bank or card issuer if you believe you've been affected by the Neiman Marcus data breach. You should also contact a credit-monitoring service to make sure criminals aren't using personal information gleaned from the breach to open new lines of credit in your name.
Neiman Marcus is offering a year of free credit monitoring and identity-theft protection to all those compromised. You can visit this website to sign up.
Can I prevent this from happening in the future?
As with many data breaches involving credit cards, there's little individual consumers could have done to prevent exposure, short of using cash.
The best you can do is to try to minimize how much of your personal information you share with companies. For that reason, many security experts recommend you don't enroll in customer-rewards programs and other programs that ask for your name and email address.