A report from upscale retailer Neiman Marcus states that the retailer was a recent cyber attack victim when about 1.1 million customer cards were involved in a data breach from July 16 to October 30, 2013. Information sources have also told the international news agency Reuters that other, as yet unnamed, retail chains have also been breached. On January 17th, the FBI issued a confidential report to U.S. retailers, which described risks posed by malware placed on point of sale (POS) systems.
Top management personnel from the National Retail Federation have issued a statement concerning the FBI's report that warns retailers about additional cyber attacks targeting the $5 trillion retail industry. The report outlines common hacking techniques used by cyber criminals to access user data according to NRF's Senior Vice President, and General Counsel, Mallory Duncan.
Duncan cites the hackers' 21st-Century level of sophistication vs. the 20th-century credit cards that rely on the flawed point-of-sale (POS) card system that are causing major issues for the payment card industry (PCI). Duncan is calling for a joint effort by all parties involved to eliminate this fundamental POS flaw and enhance cyber security.
The FBI report was issued after the Target holiday attack that affected as many as 110 million people. According to the New York Times, an involved source, who has asked to remain anonymous, said the report also mentioned that it appears the same malware used to breach Target's systems is the same malware that was also installed on the Neiman Marcus terminals. The Neiman Marcus information security breach is also much worse than originally reported. Why it took so long for Neiman’s to identify the cyber security problem has still not been addressed.
The luxury retailer was notified by Visa, MasterCard, and Discover that approximately 2,400 cards used at Neiman Marcus and its Last Call outlets have since been fraudulently used. Once card information has been captured and balances checked, the cards are duplicated and sold on the web sometimes for as much as $1000.00 as the "no limit" black card.
News outlets report still other retail outlets may have been compromised last year though news as to the identity of these stores has not yet been made public. One thing is for certain. We have not heard the last of data breaches targeting retailers.
