NEW YORK (AP) — Luxury merchant Neiman Marcus confirmed
Saturday that thieves stole some of its customers’ payment card
information and made unauthorized charges over the holiday season,
becoming the second retailer in recent weeks to announce it had fallen
victim to a cyber-security attack.
The hacking, coming weeks after
Target Corp. revealed its own breach, underscores the increasing
challenges that merchants have in thwarting security threats. Neiman
Marcus didn’t say whether the breach was related to the massive data
theft at Target, but some security experts believe they could be part of
the same scam. Nevertheless, the recent security breaches at two major
retailers threaten to scare shoppers who worry about the safety of their
personal data.
Ginger Reeder, spokeswoman for Dallas-based Neiman
Marcus Group Ltd., said in an email Saturday that the retailer had been
notified in mid-December by its credit card processor about potentially
unauthorized payment activity following customer purchases at stores.
On Jan. 1, a forensics firm confirmed evidence that the upscale retailer
was a victim of a criminal cyber-security intrusion and that some
customers’ credit and debit cards were possibly compromised as a result.
Reeder
wouldn’t estimate how many customers may be affected but said the
merchant is notifying customers whose cards it has now determined were
used fraudulently. Neiman Marcus, which operates more than 40 upscale
stores and clearance stores, is working with the Secret Service on the
breach, she said.
"We have begun to contain the intrusion and have taken significant steps to further enhance
information security," Reeder wrote.
Robert
Siciliano, a security expert with McAfee, a computer security software
maker, says it is possible Neiman Marcus doesn’t yet know the extent of
the breach. He says he believes that the two thefts were likely
committed by the same organized group, based on his experience and the
fact that the incidents happened at around the same time.
"It’s a knee-jerk reaction that the security industry has right now," he added.
Target
disclosed Friday that its massive data theft was significantly more
extensive and affected millions more shoppers than the company announced
in December. The nation’s second largest discounter said hackers stole
personal information — including names, phone numbers, email and mailing
addresses — from as many as 70 million customers as part of a data
breach it discovered last month.
The Minneapolis-based Target
announced Dec. 19 that some 40 million credit and debit card accounts
had been affected by a data breach that happened from Nov. 27 to Dec. 15
— just as the holiday shopping season was getting into gear.
As
part of that announcement, the company said customers’ names, credit and
debit card numbers, card expiration dates, debit-card PINs and the
embedded code on the magnetic strip on the back of cards had been
stolen.
According to new information gleaned from its
investigation with the Secret Service and the Department of Justice,
Target said Friday that criminals also took non-credit card related data
for some 70 million customers. This is information Target obtained from
customers who, among other things, used a call center and offered their
phone number or shopped online and provided an email address.
Some overlap exists between the 70 million individuals and the 40 million compromised credit and debit
accounts, Target said.
When
Target releases a final tally, the theft could become the largest data
breach on record for a retailer, surpassing an incident uncovered in
2007 that saw more than 90 million records pilfered from TJX Cos. Inc.
Target
acknowledged Friday that the news of the data theft has scared some
shoppers away. It cut its earnings outlook for the quarter that covers
the crucial holiday season and warned that sales would be down for the
period.
___
AP Radio Correspondent Julie Walker in New York contributed to this report.
___
Follow Anne D’Innocenzio at http://www.Twitter.com/adinnocenzio

Copyright 2014 The Associated Press. All rights
reserved. This material may not be published, broadcast, rewritten or
redistributed.