Neiman Marcus latest reported victim of customer credit card theft

The security breach at American retailer, Neiman Marcus, is far more worrying than was disclosed originally. Over a million credit cards were affected in a ‘complex’ cyber-attack over several months, while the FBI is warning to prepare for more.

Dallas-based Neiman Marcus, which caters to upper-income shoppers, revealed on Wednesday that 1.1 million credit and debit cards – far more than the retailer’s original estimate - may have been compromised in last year’s spate of data theft.

The breach occurred through malicious software that collected payment card information from July 16 to October 30. Visa, MasterCard and Discover traced 2,400 cards belonging to customers of Neiman Marcus that were used fraudulently, the company said.

The malware used to hack the company’s systems was “complex and output encrypted,” said the retailer’s CIO Michael R. Kingston in a letter posted on US Sen. Richard Blumenthal website, a Democrat from Connecticut, who pressed Neiman Marcus for details on how they are coping with the cyber-attacks.

CEO Karen Katz apologized to customers in a statement published on its website.

“We deeply regret and are very sorry that some of our customers’ payment cards were used fraudulently after making purchases at our stores,” Katz said in the letter.

Although the malware was discovered on New Year’s Day, due to the complex encryption of the malware it “took a few days to untangle the algorithm and create a script that would disable it,” the Dallas News reported. The malicious software was found in more stores on January 6, and not fully disabled until the 10th of that month.

To date, the company said it has received no information that customer Social Security numbers or birth dates were compromised.

Authorities are now investigating a possible connection between the credit card thefts at Neiman Marcus and the broader one that occurred at Target, America’s third largest retailer, which saw about 40 million credit cards compromised. Personal information, such as email and home addresses, was also stolen from as many as 70 million customers.

In an effort to trace the origins of the attack, the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center has partnered with Dallas-based iSight Partners, a cybersecurity company.

An Eastern European connection?

The malicious software that hit Neiman Marcus stores seems to be the same malware that lifted information from as many as 110 million Target customers, a person briefed on the investigations, who spoke on condition of anonymity, told The New York Times.

Investigators have declined to say whether the same hackers were involved in the Neiman Marcus and Target security breaches, yet the investigation seems to be leaning toward Eastern Europe as the origin of the Target theft.

It has been revealed that the virus used to breach Target’s firewall and compromise the personal data on millions of individuals, which was dubbed by hackers KARTOKHA (“potato” in Russian), first appeared on international hacking circles last spring.

Investigators say the source code of the virus contained certain words written in Russian.

Earlier this month, US authorities sent a 16-page document to retail companies, explaining how the cyber thefts were carried out. Now the FBI has warned companies about the risk of other such attacks: "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cybercrime attractive to a wide range of actors," the report, seen by Reuters, said.

Many of the attacks on US retailers reportedly used the same kind of malware as used against Target, known as "memory-parsing" or "RAM scraper," which is software that is capable of compromising data at point-of-sale systems, for example, at the cash registers. The software skims payment data from a customer's credit or debit card by seizing the normally encrypted data as it briefly appears as plain text.

There seems to be a very good reason why hackers have focused on US retailers as a target for credit card theft: The US is one of the last countries to embrace the technology. In Europe, 81 percent of the cards contain so-called EMV chips – named after its founders, Eurocard, MasterCard and Visa - according to the consulting firm Celent, as reported by the Times.

Credit cards that use this technology feature a tiny chip that automatically creates a new code for each purchase, thus practically guaranteeing the safety of credit cards from malware tools.

While the United States accounts for just 27 percent of credit card purchases worldwide, it is responsible for 47 percent of card fraud, according to data from the Nilson Report.

Meanwhile, there has emerged a lucrative black market of sorts for hackers who are capable of developing the software that has sent tremors through the US retailing community. Last July, security experts at iSight Partners discovered that more than 20 percent of all online advertisements were from individuals seeking to hire hackers who are capable of breaching point-of-sale systems.

This demand has driven up rates for aspiring cyber criminals. Early in 2010, hackers were getting $425 to $2,500 for installing point-of-sale malicious software. By year’s end, their rates had surged to $6,500, according to a report by iSight Partners.

At a congressional hearing on data breaches scheduled for February 4th, business and political leaders are expected to discuss EMV technology.