Credit card hackers who broke into Neiman Marcus payment systems were able to steal data from the firm between Sept. 1 and Dec. 17, a person familiar with the investigation told BobSullivan.net on Monday. That’s considerably longer than the 18-day window that hackers were said — at least initially — to access Target’s payment data, from Nov. 27-Dec. 15. Banks were informed of the attack on Dec. 20, the source, who requested anonymity, said. The source also said criminals were able to steal magnetic stripe data from the retailer, which includes most information that would be need to print clones of consumers’ credit cards and commit fraud.
The proximity of the discovery and end of the two attacks — Target on Dec. 15, and Neiman Marcus on Dec. 17 — is further evidence that the two events could be related.
Neiman Marcus would not comment on the new information released to me.
“I am not commenting on anything while we are in the midst of a criminal investigation,” said Ginger Reeder, Vice President, Corporate Communications. She confirmed that the chain first learned of the attack in mid-December.
“(We were) informed by our merchant processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores,” she said.
Neiman Marcus is the second retailer to announce a major credit card heist around the holidays. The Reuters news service reported during the weekend that other as-yet-unnamed retailers have also been victimized. The news service also claimed that hackers used a relatively new “RAM scraping” technique to steal the data. Described in great detail back in 2009 in this Dark Reading article, RAM scraping involves stealing data while it’s being processed, when it is not encrypted.
Sign up for Bob Sullivan’s free newsletter.
Be the first to comment