Neiman Marcus says fewer payment cards exposed in breach than first thought
Neiman Marcus has revised downward the number of credit and debit cards exposed in a data breach, from 1.1 million to 350,000, according to a notice posted Friday on its website.
“The number has decreased because the investigation has established that the malware was not operating at all our stores, nor was it operating every day in those affected stores,” wrote Neiman Marcus Group President and CEO Karen Katz.
In a new detail, Katz wrote that 77 of 85 stores were affected during the intrusion, which took place between July 16 and Oct. 30, 2013.
However, Neiman Marcus also revised the number of card details that have been fraudulently used to 9,200, up from 2,400. Stolen card details are less useful to cybercriminals as time passes, as cards are cancelled by issuers if fraud is likely or the details expire.
Neiman Marcus is one of several businesses, including Target, the arts and crafts chain Michaels and a hotel management group, White Lodging Services, investigating cyberattacks against point-of-sale devices, the modern cash registers that read payment card data from the magnetic stripe of a credit or debit card.
Target’s disclosure in December that attackers stole upwards of 40 million payment card details was followed by a series of warnings from cybersecurity companies of widespread point-of-sale hacking. Target’s intrusion has been traced in part to a system used by a contractor to submit electronic documents.
The malware used in both the Target and Neiman Marcus breaches “scraped” payment card details after a card was swiped and the unencrypted data sat briefly in a terminal’s memory. Neiman Marcus has said it knows of no connection between its breach and Target’s.