Neiman’s CEO Karen Katz wrote in a statement on the company's website that malware was "clandestinely" installed on the network, and then from July 16 to October 30, 2013, it was actively scraping payment card data from in-store shoppers.
As far as actual impact, the company still doesn’t know how many of its stores were affected by the breach or which ones – the Neiman Marcus Group includes Neiman Marcus, Bergdorf Goodman and Last Call. But, Visa, MasterCard and Discover have notified the department store that only about 2,400 unique customer payment cards used in-store at Neiman Marcus and Last Call stores during the period were subsequently used fraudulently. And Neiman Marcus and Bergdorf Goodman store cards have not been impacted so far, to the stores’ knowledge.
In further good news, card PINs, social security numbers and birth dates were not compromised, the company added. And, online consumers haven’t been affected.
The breach was discovered in mid-December when its merchant processor warned the company of potentially unauthorized payment card activity that seemed to be following customer purchases at Neiman Marcus Group stores. By Jan. 1, a forensics firm had discovered evidence that the company was the victim of a criminal cybersecurity intrusion and that customers' cards were possibly compromised as a result.
“We informed federal law enforcement agencies and began working actively with the U.S. Secret Service, the payment brands, our merchant processor, a leading investigations, intelligence and risk management firm, and a leading payment brand-approved forensics firm to investigate the situation,” the retailer said in the statement.
Neiman’s has disabled the malware and is offering free credit monitoring for anyone who shopped its stores at any point last year – and the forensics investigation goes on.
As for the question on everyone’s minds, the company said that it has no knowledge of a connection to the high-profile breach at Target, the No. 2 retailer in the US.
That status could change, though: According to operative information from IntelCrawler, the Russian distributors of the malware that affected Target (“very well-known programmers of malicious code in the underground,” the firm said) has been selling like hotcakes and will likely be shown to be the culprit behind more department store data breaches as time goes on.