Friday , March 29, 2024

Neiman Marcus Downsizes by Two-Thirds Its Tally of Cards Compromised in Breach

In a rare piece of good, or least not as bad, news about the recent retailer payment card data breaches, upscale department-store chain Neiman Marcus Group says about 350,000 cards were compromised by the breach it disclosed in January, down from its earlier estimate of 1.1 million.

The number of card accounts on which fraud has actually occurred, however, is now up to 9,200 versus earlier estimates of about 2,400. Neiman Marcus has said the breach resulted from so-called memory-scraping malware operating on many of its point-of-sale registers in 77 of its 85 stores from July 16 to Oct. 30, but not confirmed until Jan. 2.

Neiman Marcus president and chief executive Karen Katz provided the new numbers in an updated post on the company’s Web site Friday. “Our investigation has now determined that the number of potentially affected payments cards is lower—approximately 350,000,” she said. “The number has decreased because the investigation has established that the malware was not operating at all our stores, nor was it operating every day in those affected stores, during the July 16-Oct. 30 period. Of the 350,000 payment cards that may have been affected by the malware in our system, Visa, MasterCard, and Discover have notified us to date that approximately 9,200 of those were subsequently used fraudulently elsewhere.”

A spokesperson for Dallas-based Neiman Marcus provided some further detail in an email to Digital Transactions News. “The 1.1 million number was based on an assumption that the malware was operating at all of our stores, every day between July 16 and Oct. 30,” she says. “It reflects the number of cardholders who shopped at all Neiman Marcus Group stores during that time period. Our forensic investigators and internal personnel have completed the more detailed analysis to determine the number of payment cards used at the specific stores and specific days when and where the malware was operating. That number, 350,000 (the precise number is slightly less), reflects the fact that the malware was not operating during a substantial period of the time across all stores.”

In testimony to a U.S. House of Representatives subcommittee Feb. 5, Neiman Marcus chief information officer Michael R. Kingston indicated that the number might be headed down because the malware was not operating in all stores all the time between mid-July and late October. “The number of unique payment cards used at all Neiman Marcus Group stores during this period was approximately 1.1 million,” Kingston’s written testimony says. He later added: “Thus, the number of payment cards that were potentially exposed during this period appears to be lower than 1.1 million, although we have not yet determined how much lower.”

Neiman Marcus was “erring on the side of caution” when it first went public with the 1.1 million figure, says Alphonse R. “Al” Pascual, a senior analyst at Pleasanton, Calif.-based Javelin Strategy & Research specializing in security and fraud-control issues. He also says, “Their hand got forced” when media reports about the breach came out before the company’s confirmation of the breach. The KrebsOnSecurity blog broke the news of the Neiman Marcus breach and earlier first reported the far larger one at Target Corp.

Still, breached companies in the past few years have become more cautious than in earlier years in disclosing the number of compromised records, according to Pascual. The idea is that rather than give an estimate on the total number of records potentially exposed, they instead hold back until the number of records actually exfiltrated, or siphoned out, from a computer system, is known. Pascual said that happened with merchant processor Global Payments Inc., which was able to counter an early report that up to 10 million cards could have been compromised in the breach it disclosed to 2012 with a statement that fewer than 1.5 million were.

Such tactics can help a breached organization from both a public relations and legal standpoint, since breaches often spawn lawsuits. “Obviously, there are liability concerns,” Pascual says. “If you are a breached organization, you want to give the other side as little ammunition as possible. It’s better to revise downward than revise upward…it looks better for them at the end of the day.”

Minneapolis-based Target is scheduled to hold its fourth-quarter earnings conference call at 9:30 a.m. Central time Wednesday, presumably during which senior management will provide preliminary estimates on the financial hit the discount retailer is expecting from its massive breach. Target says the breach affected 40 million payment cards and non-card information on 70 million customers.

Check Also

Discover CEO Leaving and other Digital Transactions News briefs from 3/28/24

Michael Rhodes has resigned as chief executive and president of Discover Financial Services Inc., effective April 1. …

Digital Transactions