Dallas-based Neiman Marcus says that up to 1.1 million credit cards could have been compromised during a recent data breach.
The announcement comes as Neiman Marcus’ chief information officer testified today about the breach before a U.S. Senate committee. Michael Kingston appeared before the Senate Judiciary Committee.
Neiman Marcus is among several retailers to disclose data security breaches. Target experienced a massive breach during the holiday season.
A note on the Neiman Marcus website states that about 1.1 million customer payment cards could have been exposed in the breach. The malware attempted to collect card data from July to October 2013. Visa, MasterCard and Discover have notified Neiman that approximately 2,400 cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently.
A data breach at upscale U.S. retailer Neiman Marcus potentially exposed payment card information from transactions at 77 of 85 stores between July and October of last year, the company's chief information officer told a U.S. Senate committee on Tuesday.
There was no indication the data breach compromised transactions on the company's website or at restaurants, and PIN data was not compromised, CIO Michael Kingston told the Senate Judiciary Committee hearing.
Upscale retailer Neiman Marcus isn't yet saying how many customers might be at risk, but it is confirming that a breach of credit card data took place. The company says it learned of "potentially unauthorized payment card activity" before Christmas. The company says it is working with federal investigators, and a forensics team is trying to determine the size of the breach.
The digital security expert Brian Krebs today:
"Earlier this week, I began hearing from sources in the financial industry about an increasing number of fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain."
Krebs also says that a Neiman Marcus representative says there's no sign that the hack is related to the attack on Target, which said today that may have been stolen.
The Neiman Marcus website issued a message to customers. It says it has notified affected customers.
Here is the information we have learned so far, based on the ongoing investigations:
• Social security numbers and birth dates were not compromised.
• Our Neiman Marcus and Bergdorf Goodman cards have not seen any fraudulent activity.
• Customers that shopped online do not appear to have been impacted.
• PINs were never at risk because we do not use PIN pads in our stores.
While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively attempted to collect or "scrape" payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware. To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently.
We are notifying ALL customers for whom we have addresses or email who shopped with us between January 2013 and January 2014, and offering one free year of credit monitoring and identity-theft protection.