The Neiman Marcus breach is not as bad as previously believed, as the number of potentially affected cards dropped from 1.1 million to approximately 350,000.
“The number has decreased because the investigation has established that the malware was not operating at all our stores, nor was it operating every day in those affected stores, during the July 16 -October 30 period,” shared Neiman Marcus CEO Karen Katz. The forensic investigation has determined that the malware was operating at 77 out of 85 of the retailer’s stores, but not at every register or every day during the aforementioned period.
“Of the 350,000 payment cards that may have been affected by the malware in our system, Visa, MasterCard and Discover have notified us to date that approximately 9,200 of those were subsequently used fraudulently elsewhere,” she added, and also made sure to reiterate that Social Security numbers, birth dates and PIN numbers were not compromised, and that online customers were not impacted on by the breach.
In the meantime, Businessweek reporters have reviewed a 157-page report about the breach compiled by consulting firm Protiviti, and it revealed that:
- The attackers are probably not the ones who breached Target, as they wrote specific code to compromise the Neiman Marcus network
- They had given the malware a name similar to the company’s payment software, so that when the endpoint protection logs would be reviewed, entries tied to it wouldn’t stand out
- The malware triggered the company’s security systems on nearly 60,000 occasions, but it wasn’t flagged as such and removed, and the system didn’t automatically block suspicious activity as that particular feature had been turned off as not to hamper system maintenance
- The design of the retailer’s POS system allowed attackers to reload the malware on a number of registers quickly after it was deleted at the end of each day
- The attackers compromised the POS system by way of a Internet-facing vulnerable server connected to it
- The company was in compliance with transaction data protection standards.