Neiman Marcus Breach Could Be Part Of Larger Holiday Cyberattack On U.S. Retailers

In the weeks following Thanksgiving, Target became the unlucky victim of a massive attack and data hack, which reportedly affected as many as 110 million people and exposed an array of personal data, including names, addresses and credit card information. With a second retail giant beginning to notify customers that it, too, has been hacked, it seems that we may just be scratching the surface of a larger cyberattack that took place during the holiday season.

This morning, Krebs On Security reported that upscale retailer Neiman Marcus has teamed up with the U.S. Secret Service to investigate its own data breach which led to the theft of credit card and personal information. The company reportedly discovered the cyberattack in December from its credit card processor but has still yet to disclose how many shoppers have been affected by the hack.

However, the company said via its Twitter account that it is beginning to notify customers whose credit card information has been “used fraudulently” since the breach in December. The company said that the forensics team it has been working with had discovered that customer personal information had been compromised, but that it has “begun to contain the intrusion and have taken significant steps to further enhance information security,” it said in a statement about the breach.

Beyond how many of its customers were exposed to the attack, the company has yet to share details on how the breach occurred. There is no concrete evidence that the two attacks on Neiman Marcus and Target were linked, as, at least according to Krebs. Target has yet to publicly share details on its investigation which could help other retailers discover whether or not the attacks were perpetrated by the same hackers.

However, Reuters has since reported that Neiman Marcus and Target were not the only victims of the Holiday Hack Attack ’13, as I’m calling it. According to Reuters, at least three other “well-known U.S. retailers” were subject to data breaches, which used “similar techniques” to the attack on Target. Not only that, but those investigating the events indicated that similar breaches may also have “occurred earlier last year.”

The report claims that hackers used “malicious software” to infiltrate the retailers’ databases and steal credit card information. Reuters’ sources indicated that one of the Trojan horses used by hackers was a “RAM scraper,” which allows the burglar to snatch encrypted data at a moment of vulnerability. This happens when the data appears in plain text as it moves through the live memory of the customer’s computer, according to Reuters.

Visa apparently warned of a series of attacks using this method that had been attempted on its network earlier last year, but while this kind of “RAM scraping” attack has been around for years, the report said that the attacks on Target and others were much more sophisticated. While cyber security itself has increased dramatically (and improved) over the last few years, it appears there’s still headway to be made.

While the attacks reportedly took place during the holiday season, the major retailers affected have delayed any public announcement about the cyberattack. The reason is that many credit card companies and banks are “forbidden” from naming merchants affected by attacks unless “they disclose that information themselves.” Naturally, big brand merchants would rather protect their image and business, rather than publicly announcing a breach.

It’s an understandable move to protect their business and prevent mass hysteria, but it’s also frustrating to customers, banks and many others who may not become aware of exposure until days, weeks or months after the attacks occur. Many states require companies to contact customers when their information is exposed, and usually it’s payment processors who bear that responsibility. But that’s not the case everywhere.

As more information on this comes to light, we may learn that the hackers ran a series of test-runs of their new methods involving RAM scraping and other techniques, which could be (or could have been) a harbinger of things to come. We also may learn that a host of companies have been exposed to these sorts of attacks, even though those companies may resolve try to prevent that information from coming to light.

Image credit: SalFalko via Flickr