Like the Target breach, which has now widened in scope to affect a whopping 110 million customers, the Neiman’s incident was first uncovered by cybersecurity expert Brian Krebs. In a statement to Krebs, the company said that it was informed of the breach in mid-December by its credit card processor, after which it informed law enforcement and the US Secret Service. It has “taken significant steps to further enhance information security,” the company added, but gave scant details as to how exactly it was doing that.
As far as the scope of the attack, it’s not known whether Neiman’s subsidiaries, which include Bergdorf Goodman, Horchow, Cusp and Last Call, were also affected. The company also hasn’t said how many shoppers could be affected, the dates of the breach or who may have carried it out. It has hired a third-party forensics firm to uncover more details, it said.
Meanwhile, just ahead of the weekend Target admitted that its widespread breach, which was carried out during the busy Thanksgiving-to-Christmas shopping period, is much larger than originally thought. The big-box fixture originally reported the compromise of payment data for 40 million individuals; now, it appears that this was complemented by the exposure of names, mailing addresses, phone number and email addresses for 70 million more in-store guests.
“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach,” the company said in a statement released Friday morning. ”This theft is not a new breach, but was uncovered as part of the ongoing investigation.”
Some think that two hits in a row on high-profile retailers could point to a pattern and a shared set of perpetrators – perhaps a ring operating with a very advanced malware development capability. "With the possibility that a large number of retail organizations may have been victims of the same set of attacks, other retail businesses have got to be asking themselves if they were compromised as well,” said Lancope’s director of research, Tom Cross, in an email to Infosecurity. “It has been confirmed that malware was installed on point of sale terminals at Target, so other retail organizations should be taking a close look at their point-of-sale systems.”
Chris Petersen, CTO and co-founder of LogRhythm, said that the possibility of this being a larger initiative across several retailers points to the use of highly sophisticated malware, perhaps one that can rival that used for cyber-espionage by nation-states.
"Have we seen a cybercrime-driven Stuxnet-like capability applied to retail corporations?” he said in an email to Infosecurity. “Like Stuxnet, it would appear stealthy malware was introduced focused on compromising thousands of specific systems where cardholder and PIN data could be accessed in unencrypted form, likely via a memory scraper. To successfully accomplish this, highly sophisticated malware was almost certainly developed and deployed.”
That malware would need to compromise systems en-route to intended targets and remain stealthy in the process, only going active once the scale of compromise was sufficient to achieve the designers’ objective – i.e., mass data theft. “These are capabilities similar to the military-class malware Stuxnet is believed to have been in 2010,” he added.
Peterson also noted that the breaches should bring into focus the need for transparency when it comes to this type of crime.
"Currently, there is no national breach disclosure law,” he said. “While most states do have such laws, the teeth of the law are often insufficient to overcome concern regarding brand damage. Most breaches that go public still do so as a result of a third-party reporting [like Krebs]. What we don’t know is how many other companies were breached, or still are, from this same or similar attack."
The sheer scale of the known problems should raise a red flag. Eric Chiu, president and co-founder of HyTrust, noted that because of the density of data in today’s networks, thieves don’t just get some data -- they get it all. “Capturing address/zip code information makes credit card numbers far more useful to thieves,” he told Infosecurity. “Companies need to take an ‘inside-out’ approach to security – ensure that access to critical systems and data is protected from the inside through fine-grained access controls, including the NSA's new two-person rule and role-based monitoring. And ensure all sensitive information is encrypted as well. This is the only way to protect against insider threats, which are the No. 1 cause of breaches.”
Chiu also offered four simple steps customers can take following the breach:
-
Call your credit card company or check online to verify current charges. Look for any unusual charges, as attackers may sometimes test the waters to make sure the number is associated with a valid account before making a big transaction.
-
Call your bank to let them know of the breach so they can be on notice for any unusual activity. Request a new card, and change your PIN, as well as any passwords used to access online credit card accounts.
-
Activate fraud prevention services from your credit card provider. Most card providers offer good services where they monitor for unusual activity and will proactively call you to verify charges that don’t fit your usual profile of activity.
-
Sign up for a fraud-prevention service. They are relatively inexpensive, and it’s possible that Target may cover the cost of such a service, as other companies have done.
As we wait to see how far the rabbit hole goes on this pair of heists, Nathaniel Couper-Noles, principal security consultant at Neohapsis noted that revised figures and additional detail revelations are to be expected. “Target is not the first company to have restated the scope and impact of a breach,” he said in an email.
“Restatements, like Target’s as well as Adobe before them, demonstrate how hard it can be to put the pieces back together after they’ve fallen apart. Cyber security scenario-based exercises, penetration testing and red-teaming exercises are tools that enterprises large and small can use to predict the potential impact of incidents before they happen.”