The upscale department store identified a security breach in mid-December, but sources tell the New York Times that the hacker’s trail leads back to July.
January 16, 2014 10:59 PM PST
Neiman Marcus’ downtown San Francisco store.
(Credit: Neiman Marcus)
A security breach that yielded Neiman Marcus customers’ payment card information went undetected for nearly six months, according a report in the New York Times.
The upscale department store revealed Friday that hackers may have stolen customers’ credit and debit card information during an intrusion it detected in mid-December, but sources told the Times that the earliest time stamp on the breach was from July. During a call with credit card companies on Monday, the company acknowledged that the intrusion had been fully contained only a day earlier, three days after it was publicly revealed, sources told the newspaper.
Neiman Marcus did not immediately respond to a CNET request for comment but told Reuters that it only learned of the breach last month.
Security camera captures decidedly low-tech Target ‘hack’
Target’s data breach: Yes, it gets worse
Obama calls for NSA reforms but defends agency
“We did not get our first alert that there might be something wrong until mid-December,” Neiman Marcus spokesperson Ginger Reeder told Reuters. “We didn’t find evidence until January 1.”
The luxury chain has not revealed how many of its customers may be affected by the security breach but said no customer Social Security numbers or birthdates had been compromised.
As with a recent high-profile breach at retailer Target, malware installed on in-store point-of-sale terminals appears to have been the avenue for data theft.
“Customers that shopped online do not appear to have been impacted by the criminal cyber-security intrusion,” Neiman Marcus CEO Karen Katz said in a statement to customers. “Your PIN was never at risk because we do not use PIN pads in our stores.”
In addition to disabling the malware, Katz said the company is beefing up its security and working with federal law enforcement officials and a forensic investigator to determine the source of the attack.