January 10, 2014

Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards.

neimanEarlier this week, I began hearing from sources in the financial industry about an increasing number of fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase among the compromised cards was Neiman Marcus.

Today, I reached out to Neiman Marcus and received confirmation that the company is in fact investigating a breach that was uncovered in mid-December.

Neiman Marcus spokesperson Ginger Reeder said the company does not yet know the cause, size or duration of the breach, noting that these are details being sought by a third-party forensics firm which has yet to complete its investigation. But she said there is no evidence that shoppers who purchased from the company’s online stores were affected by this breach.

The entirety of the company’s formal statement is as follows:

“Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.

The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.”

The disclosure comes as many in the retail sector are seeking more information about the causes of the breach at nationwide retail giant Target, which extended from around Thanksgiving 2013 to Dec. 15, and affected some 40 million customer debit and credit cards.

Target released additional details about the breach today, saying hackers also compromised the names, mailing addresses, phone number and email addresses for up to 70 million individuals. But Target has so far not publicly released information that would help other retailers determine whether their systems may have been hit by the same attackers.

Neiman Marcus’s Reeder said the company has no indication at this time that the breach at its stores is in any way related to the Target attack. Still, the timing of the discovery of the Neiman Marcus incident — mid-December — roughly corresponds to the discovery of the Target breach. I will have more on this developing story if additional details become available.


126 thoughts on “Hackers Steal Card Data from Neiman Marcus

  1. BT Richards

    Clearly PCI-DSS is a failure. It only creates a check list to keep bean counters happy.
    Having said that, one requirement is to report any suspected breach. Why are these retailers not reporting?

    1. C Doom

      PCI-DSS is a compliance standard. Compliance can be a means to security, but an enterprise can and often does use compliance as a substitute for security. If a company wants to evade security in the name of expediency or “business need,” PCI will allow it to occur.

      Point fingers and pitchforks not at the PCI DSS, but rather at companies that use compliance as an excuse not to perform security.

      1. Stephanie

        I agree. Companies have to equip themselves with the proper compliance tools. http://www.sherpasoftware.com/blog/re-introduction-to-the-payment-card-industry-data-security-standard/

        PCI DSS is not without its critics. Complaints include accusations that the standards allow the card companies to issue fines and penalties against non-compliant entities, even in cases where no evidence of fraud exists. Others complain that the standards are essentially subjective, inherently inconsistent, confusing and altogether too expensive to implement, particularly for small retailers.

        Proponents of the standards argue that at least they are a step in the right direction by forcing retailers to think about and take security seriously, thereby protecting themselves, the financial institutions and – ultimately – the privacy and protection of the consumer.

    2. Adrian

      There is indeed a section that requires them to report suspected breaches… but it relies on them having identified that there is a breach. In this example (and many others it would seem) attacks are often discovered by everyone but the company breached.

    3. R James

      PCI a failure or the QSA Company who did the evaluation a ‘failure’?

      Do some research and you will find that Trustwave is the ‘go to’ for a “Blind Signature” (cheap) Report on Compliance.

      The PCI DSS is not at fault. It is only a guideline. The fault here when you have needlessly acquiescent QSA Companies capitulating to the very whim of their customer.

      Criminally negligent? Breach of fiduciary responsibility? Maybe … the courts will decide.

      1. NotMe

        Working with Trustwave is not a cheap sign-off at all. Go ahead and run the scan do your remediation and if you don’t fix the problem you don’t pass. You can appeal but they will still make you fix the issue if you can’t prove it’s not a false positive. I suppose you could cheat and use your firewall to block stuff, but why pay for the tests and not be honest about it? You would only be hurting your employer and not doing your job as a security professional. Compliance department or not the rubber hits the road eventually, and it will catch up to you.

        1. Leigh

          You’re only referring to 11.2 (quarterly scans). My guess is you are some kind of sysad who just works on that one aspect of PCI. Trust me, there are PLENTY of other requirements that QSAs can turn a blind eye to and I’ve worked with all the major ones. Some factors that contribute are: 1) How big a customer are you? 2) How many other clients is that particular QSA busy with? 3) Are they late and need to get your ROC signed off on in a hurry?

          On a separate note, I read that Target built their own POS sytem (red flag, pardon the pun). I say red flag becuse retailers don’t get it: they are not software companies!!! I have worked in security for the top 2 software companies in the world and let me tell you, even they don’t get security right all the time (you already know this) and they’ve all been burned by this so many times they have tight internal controls and phased steps to release code. In contrast, several years ago I worked for a billion-dollar retailer (not Target) who built their own POS system. This effort was led by a middle-aged “developer” turmed “executive” who’d never worked for a major software company , didn’t know best practices, didn’t separate devs and testers (in fact the ratio was like 4 devs to one tester – BAD idea!), didn’t emphasize secure coding standards and was all about releasing new versions of the code all the time, with barely-tested builds being pushed out weekly. Why? because the software was so buggy, it crashed constantly and needed constant repairs. With each modification there allowed for the introduction of code with secrity weaknesses. You think management was paying attention? No way…they were mostly concerned about keeping this jalopy running so they could keep revenue flowing. Security was never the focus and even the Security and Internal Audit teams — who brought this up repeatedly — were disregarded since managemnt was way more fixated on tangible, immediate risks like the outages that had become routine. Was this company breached? Well, not that it was *aware of* but it seems like a ticking time bomb if you ask me, and they would never have known it either.

          Oh btw, they were well on the way to getting their first ROC when I left. Their QSA barely understood how their POS stored and encrypted CHD.

    4. karl napf

      Not really, its just the fact, that it is not enforced, as it should be and that most guys, dealing with it altogether, do not really now, what and how!
      Working in support for compliance products it is pretty obvious, that the general knowledge of people, dealing with the software on a daily basis, still don´t know, how it does work, or even why they have to carry out the comprehensive tests at all.

    5. JOSE NAVARRO

      PCI-DDS is only part of the solution. Canadian Banks transferred to chip technology on debit and credit, not because it was fun or inexpensive, but because the level of fraud and identity theft had become unbearable for the clients and the Banks. We know that in time, even chip technology could be compromised, but to date it has reduced the exposure to fraud significantly. Eventually US Banks will have to face the situation and migrate to the technology that is now prevalent in Europe and Canada; it is only question on how much financial pain are they willing to endure.

    6. UCclouds

      PCI as others have stated isn’t the Security Team it’s the guideline. Most companies big and small run their quarterly scans and are “happy” that they pass. But these same companies are getting breached because they are not monitoring their infrastructures in real time.

      How many have had a malware on their PC? How long had it been before you discovered it. There are simple tools that are used to mitigate potential breaches. Not just anti viruses but malwares, skimming, etc.

      How many companies are breached that we never hear about? I recently met with an Association that anyone wanting to purchase PII would find as a Gold Mine. Out of 50 people in the room, only two of them were doing anything to protect their PII.

      There are solution out there, but the companies need to search for them and consider solutions that are not traditional.

      I hope that this is a wake up call for businesses that are responsible to their customers and their data.

      1. nona

        This is the second post that states the DSS is a guideline… >< The DSS, as the name suggests, is a standard. Not a guideline that doesn't have to be followed or repeated! The standard is required to be met as part of the member agreement with the card brands. Maybe some people should re-read the standard and merchant agreements.

    7. Travis Hershberger

      BT Richards, not only is PCI-DSS policies are so outdated they actively create security risks. If you are PCI-DSS compliant, you will not be secure. (See password policies.)

  2. Gourav

    Hey Guys,
    Slightly off topic but I saw some of the comments mentioned B’lore, India and probable insider job in target theft.Though I dont want to use the “R” word for those comentors now, I would suggest them to refrain from such type of commenting. An insider breach is insider breach and the location doesnt matter. I hope my learned driends will understand that.

    1. saucymugwump

      @Gourav “I dont want to use the ‘R’ word for those comentors now”

      Haven’t you figured out yet that your ignorant comment is a major reason why many people hate liberals, always resorting to preconceived notions?

      On the contrary, I made those comments for technical reasons.

      In the old days, all aspects of software development were maintained in one building or campus. Everything was behind one firewall. If communications were necessary, companies would lease T1 lines for secure transmission.

      However, when databases are stored in country X and source code is stored in country Y, and employees are accessing nodes from all over the world — and everything is transmitted across the Internet where it is not possible to restrict packets to a specific route — it becomes rather difficult to keep everything secure, as we have seen.

      I realize that Gourav’s mind is already made-up, but others might find the below blog post relevant:
      American schadenfreude and the Senate Gang of Eight’s fraudulent immigration reform bill S.744

      1. JimV

        Take your neofascist blather and shill it somewhere else.

      2. Snarky IT Sec

        Why does every corporate kool-aid drinking, Ayn Rand worshiping moron spread the “Insider” nonsense? Do you guys get paid by some corporate PR firm, to draw attention away from the obvious issue: that retail corporations will do the absolute minimum to protect their customers data? I work in IT Sec for a retailer and to paint the picture – we have twice the number of “compliance specialists” as we do actual IT Security guys. The compliance specialist spend their day trying to construe how we are meeting the minimal requirements, while not actually doing it. Grow up and realize, companies and retailers have no incentive to protect your data.

        1. KFritz

          So, would it be safe to say that breaches would be fewer, smaller, and less spectacular if the corporate establishment wasn’t asleep at the switch on IT security?

        2. Leigh

          I could not agree more…(and I’m a “compliance specialist”!!)

  3. Laura

    It wasn’t just Target and N. Marcus that had this problem; Walmart also had accounts hacked, email addresses tampered with, and fraudulent charges from stolen credit card info. Shoppers who purchased on Walmart.com on either December 9 and 10 potentially had their accounts compromised. It was difficult to find a phone # to call for Walmart.com after seeing trouble on my account and credit card; when I did get a number there was actually an outgoing message that said “if you think there was misuse of your account on Dec 9 and 10 press 4.” The breach was confirmed by the phone representative and I had my account canceled and credit card replaced. Why has no one reported on the Walmart.com breach?

    1. RBBrittain

      Two days at Walmart.com is nothing compared to over two weeks (possibly longer) at Target B&M. Besides, what you’ve given suggests a more targeted attack (NO pun intended) at Walmart.com that may NOT have affected ALL its customers on those two days.

      1. Dennis

        It depends on your market. I work for a community bank, and while Target caused us to reissue several thousands of cards, if it would have been Walmart it would have been 10-20x worse for us. Even a couple day issue at Walmart stores in markets where we have multiple branches would be a larger impact to our customers.

        I would love to see the US go to Chip and Pin on it’s cards, but until Walmart and a few other players requires it, it’s not going to happen (or won’t happen quickly).

  4. Karen

    Business Insider is reporting Target and Neiman Marcus are not the only retailers that got hacked around Christmas, that there were smaller breaches at 3 other well known retailers.

  5. IA Eng

    There has to be a “web server bundle” that has definate flaws within it. It seems to be “targeted” at larger businesses, and that usually means servers and operating systems that can operate a bit faster – as long as security doesn’t slow them down.

    The problem here is, at least I think it is, is that the Feds have seen this hack over and over and over again. People using the same web server set and there is a definate flaw that is being used. This set is allowing the hackers to punch holes through whatever – if any – security these sites have, and they are in creating havoc. So, if there is any FBI style intelligence that is gathered and passed onto the larger businesses, then its on the businesses, and they should be held liable and accountable.

    Yes I know it says Secret Service, but there are organizations within the FBI which are supposed to mentor companies and assist if needed. Buisnesses are really shy to say – Hey Fed – we need help with security. Then, they say the same line when the breach occurs. So, in the end, who’s fault is it?

    There needs to be a proactive security enterprise. How do you get there? You have the Federal Governement(s) build a secure PC that can run with the current Operating system and Web server. You make the company PAY for the secured server via the formal channels through the vendors. If its security laxes because it is not patched, then warning signs – much like the security spam in Java – then its on the company to make it right.

    The tech field is hurting for people who are advanced. The companies, if they can find these individuals won’t pay for them on a salary basis, and rather roll the dice and take the risks associated with a junior team and see how long the gravy train lasts before they too become a “victim” of their own negligence.

    If I was a Business CEO, CSO or other “O” and there are a TON of breaches using the same Operating System and Web Server out there, I’d be one of the FIRST to be telling the Security Team to switch over to a more secure product.

    With Port 80 wide open on most businesses, its a port that will be vulnerable, cuz the crooks know that. Having any sort of backend SQ* style database seems to be flawed, and Businesses refuse to go to a 3rd party payment system (like PAYPAL) to avoid handling credit cards. This in my opinion is moronic – why not rid yourself of the hassles of CC info ?

    The thought process of business management and (in)Security is truly in the bottom of the commode.

    1. greenja

      Want to get the CEO’s/CFO’s/CIO’s attention to info sec? Have the Board of Director’s fire them after a negligent breach is found.

      1. IA Eng

        Sheeeeeet. And another one comes in with the same attitude and (non) direction. Think Proactive vice Reactive. The intent is proactive stance against insecurity, not dealing with the fallout afterwards.

        Thats half the trouble with most major corporations. Sure the “O” is ultimately responsible for everyone, but that doesn’t mean the managers below him are angels. I bet they have more time on social sites that IT tech sites…. same with many employees.

        Knee jerking in IT by initiating a heads will roll attitude will show lower morale, if it can get any lower. Invest in a decent security plan and business modeling will follow. So will trusting, loyal customers.

  6. Jorge Q

    What we really should be ashamed of is a legislature that doesnt care enough to impose the same types of privacy laws as we have in Europe. Perhaps then, we wouldnt be as apprehensive of “identity theft”. Lets get real, identity theft has become a big business here, and simlar to cancer, why cure it when there is so much money to be spent , ahem, i mean invested in finding a cure! Lets cure symptoms, shall we?!

    Tell your legislators to pass privacy laws to make identity theft a thing of the past, and perhaps you’ll sleep better.

  7. Andy Reed

    One of the major hindrances, especially with businesses in the UK is their reluctance to disclose security breaches. If there were a little more transparency, and accountability many organisations may start to look at data protections a lot closer.

  8. tjallen

    A close reading of the NYTimes article on the Neiman Marcus breach says the company is notifying those whose “cards were used fraudulently after visits to Neiman Marcus stores.”

    In other words, they are NOT notifying all those whose cards may have been compromised or put at risk, but only those which showed a fraudulent charge after being used at N-M.

    We consumers need laws to force them to reveal the full info?

    1. d

      My card was comprised at target, but the company never notified me, my bank did by sending me a new card. No wonder Neiman Marcus isn’t notifying everyone who went into the store that day.

      1. Anon

        There is no way for Target to have contact you. They do not get your address or contact information, unless you shop online or use their Red Card. The bank is the only one who can contact you.

        1. AlphaCentauri

          Target: Hello, banks, we just had a security breach and lost 40 million credit card numbers. We’d like to notify those people. Please let us download their contact information onto our computers.

          Banks: um, no.

  9. JR

    The US House Energy and Commerce committee is currently working on an overhaul of the Communications act in order to reflect changes in technology. Chair of the Technology subcommittee is Greg Walden (OR) and one of the key members is a former FBI agent and also Chair of the House Permanent Select Committee on Intelligence, Mike Rogers (MI). I watched the hearings on the Affordable Health Care act software meltdown and both of them struck me as reasonable and knowledgeable people. (I can’t speak for others on the committee – I just don’t know.)

    If you have anything you want to have considered as this legislation is overhauled, I’d encourage you to contact them and make your views known.

  10. BN

    I discovered several victim’s card information was compromised while using Toy-R-Us.com.mid December. Has anyone else heard of any breaches with Toys-R-Us? I’ve reached out to them, but have received no reply. Thanks

    1. TheHumanDefense

      BN,
      That’s a new one. I have been hearing about some type of issues with walmart.com but not toysrus.com. However, the .com issues could be cards getting compromised in a cross scripting scheme where in folks have a site open at the same time as another site is running in the same browser and grabbing data over the browser. this is why it is so important (when using IE) to use the private browsing function. Again, just assuming. Might not be that the site was compromised. This is where it can get a little difficult without someone conducting forensics to determine where the issue is happening.

  11. Julianne Keil

    The new PCI-DSS rules include a Primary Account Number or PAN Scan. iScan is very comprehensive tool that includes this scan in the iScan PCI scan as well as being able to run the scan independently. Our cloud solution is also the most cost effective on the market. For anyone who would like more info, please feel free to visit the iscan website at iscanonline.com or contact me at jkeil@iscanonline.com for a demo. Here’s a sample of the report:
    http://www.iscanonline.com/page/pan-report

    1. Serena

      Why is your website’s registration info private? And you have only a PO box for your address?

    2. JCitizen

      Besides the fact that it would help your credibility if you would advertise on Brian’s site; instead of spamming for free? I don’t recall seeing any ads of yours here.

    3. bob

      “The new PCI-DSS rules include a Primary Account Number or PAN Scan”

      Do they? Where?

      Not that it makes much difference when PCI-DSS compliance means filling in a self assessment questionnaire and submitting a URL for an external Nessus scan. Woo-hoo – now I’m secure!

      1. Leigh

        I share your skepticism about SAQs but both Target and Nieman would be Level 1 merchants, meaning they’d have to file a ROC. Which is why I just submitted a question asking what QSAs signed those ROCs. I’m not sure why no one is mentioning this as if it’s akin to spreading industry gossip…this is public knowledge and those QSAs need to have some skin in the game. If I were shopping for a QSA I’d want to know if mine signed off on those reports prior to a big breach.

  12. MrPete

    I suspect that where this will go is a claim by merchants that PCI DSS is “industry standard” for security compliance, and if certified as compliant they cannot be held liable.

    The result of THAT travesty will likely be a (much needed) shakeup. Too many people easily assume that a set of bullet point rules and requirements amount to good security.

  13. TheHumanDefense

    Just an FYI – There are national news agencies now reporting that other then Target and Neiman Marcus, there are 3 other major retailers now reporting breaches, but have not released the organizations names yet.

  14. Mike Sangrey

    Hacking of credit (and debit) cards at Western retail outlets the month preceding Christmas should be no surprise to anyone. If customers are going to be encouraged to spend money at time X, criminals are going to gather at the same time and place.

  15. undisclosed

    I’ve heard, from trustworthy sources, there may have been a breach at Roboform? Anyone else heard anything?

  16. KrebsonSecurityFan

    I’m seriously thinking about using a pre-paid credit or debit card instead of cards issued through financial institutions, at least for on-line purchases.

    Also, I heard about getting an old-style ATM card that isn’t a debit card. (One without a VISA or Mastercard logo.) Are those even still available?

    1. Bruce Hobbs

      Yes, 5/3 Bank, based in Cincinnati, issues those; I have one. It is fairly plain, without a Visa/MasterCard/Discover/AmEx logo anywhere on it. The back does have Jeanie and Pulse logos and a place to sign it, which I haven’t done because it never requires a signature. It has a 17-digit number.

      It can be used nationally but only as a debit card and requires a PIN for every transaction. Thus, if it is lost or stolen, it is totally useless to whoever ends up with it.

      My understanding is that bank fees to the merchant are lower than for a credit card so I use it frequently.

    2. Jason

      I don’t recommend BofA as a bank, but if you’ve already got them, their online banking app has MBNA’s “Shop Safe” temporary credit card number generator. You can generate a card number that is good for the amount of months you specify, and only to the dollar amount you specify. I have BofA and use this feature exclusively for online purchases.

      CitiBank also has this sort of feature available. However, they don’t have proper security in place, so I’ll not have another account with them so long as my other accounts don’t have breach problems that they had. Look back a few years ago and you can see the CC/customer breach info problems they had. I personally experienced this, and they had to send me 3 difference replacement cards over a 2 month time span. I never even removed those cards from my home – they sat in my filing cabinet. I only ever used them with their Virtual Credit Card option for online purchases. There was no way for someone to get the original credit card number unless they were the USPS and steaming open my envelopes, or if it was an insider CitiBank job. My frustration was that I could identify this after the 1st credit card replacement, but CitiBank could not and would not talk to me about the problem. After they send me the third card, and I hadn’t even opened the envelope (and clearly could not have activated it), and it was being used fraudulently, I called them up and cancelled my account.

      I would suggest getting a CC with a bank that offers these temporary online cards. Then use that CC account exclusively for online purchases, and only using those temporary online card numbers.

      Second, never use your physical cards for other accounts online. This makes keeping track of purchases much easier. Finally, use something like GoodBudget to enter your purchases as you make them. Then you can cross-reference the purchases you made (and recorded) to your CC statement in record time. This is really the only way to spot low-dollar fraud charges at common stores that you frequent.

      Also, I would suggest getting an ATM-only card from your bank/credit union. I’ve done this and use it at my local grocers who only do ATM (fee-free, so not a problem).

      1. JCitizen

        I was using Discover Card’s Online Secure Credit Card Numbers for several years now, and they were instrumental in helping one of my vendors bust a bad outsourced order service they were using. It was too late though, because the credit card companies took away their card handling ability, and they are only authorized to take cards over the phone now. They also had to return to the US for their shop order handling as outsourcing almost cost them their entire business!

        Wouldn’t you know, but Discover is dropping these features just as the Target breach becomes public! I’m dropping Discover Card now, because that is the ONLY reason I used them. Thanks Jason for letting us know of some alternatives.

    3. Jerry Leichter

      My BofA ATM card is just an ATM card, not a debit card.

      I ended up at BofA after a long series of bank mergers. One of the predecessor banks – I can’t now even recall which – added the debit card feature when they renewed my ATM card, unasked. I called them and asked for non-debit ATM card, and they sent me one – but the next time they re-issued my ATM card, the debit feature was back. I had to call them again.

      BofA, on the other hand, seems to fully understand the notion of a non-debit ATM card. They’ve retained that feature when they re-issued my card more than once. In fact, I called them just the other day to ask for a replacement of my card, as the plastic was splitting. No problem. I checked, just to be sure, that it would not be a debit card. The answer: That’s the way we have it coded for your account.

      — Jerry

  17. Richard Goeken

    Today Targer issued a statement in the newspapers that they have discovered the cause of the breach and blocked it.

    Does anyone have any details?

  18. John Smith

    For an interesting debate on notification laws and security you may want to read the point-counterpoint in Information Security Magazine between Bruce Schneier and Marcus Ranum entitled: State Data Breach Notification Laws: Have They Helped? Both miss the point of notification laws as many technical people often do, which is simply to notify. Considering the Target and Needless Markup breaches occurred beginning in November (arguably they had to start earlier than that but let’s focus on what we know) then a notification in early January is pretty darn fast. The TJX notification, just as an example, was literally years after the initial breach. Laws are not the problem here. If a consumer continues to shop at a merchant who was compromised then they’ve voted with their money.

    1. Bruce Hobbs

      You posted this on the wrong story. I have a pithy comment to add when you post it on the Target story.

  19. Tim

    In trying to piece together the known info about the NM and Target exploit, it certainly suggests the exploit was embedded into the POS system (i.e. the cash register software), or possible a common hardware component within the POS hardware systems. It doesn’t appear to have been a (possibly preventable) brute-force hack into the data centers or a databases.

    That said, if “firmware” were compromised, either the card reader itself (Verifone) or the Register terminal (NCR), that would certainly correlate the attacks between NM, Target, and the lesser publicized hacks into TJMax and Marshalls. And doing so would implicate that it wasn’t the retailers at fault at all, but rather the hardware/software companies that provided the POS technology. And if that’s the case – then this exploit may not be over. It may just that Target and NM were vigilant enough to catch it and respond.

    Think about it: If Verifone (the card reader) firmware were compromised? That would be a VERY powerful reason NOT to announce the exploit as holiday shopping would come to a sudden halt.

    Good news still remains!!

    We are NOT responsible for purchases we didn’t make. Period. That is a 100% iron-clad guarantee from ALL major CC brands. I’ve had my CC’s and Debit compromised in the past and I never was lost a single penny. With Debit, the purchase amount was IMMEDIATELY refunded into my bank account during the investigation. There was NO delay… dispelling the common myth regarding debit cards.

  20. Katrina Lowe

    CC information at Neiman Marcus is definitely worth more than CC information at Target—-not to downplay the gravity of the Target breach, but the folks who shop at NM are using Centurion Cards (‘Black’ Amex Cards) with monthly expenditures in the $300K range. Hackers really lucked out with that group.

    Information can be compromised at any time of the year, but what situations like this should teach people is to use cash during the holiday season, when hackers are more prone to launch attacks like this. It’ll save you much heartache in the long run.

    What’s laughable about these situations is that it takes a major breach to force a company to develop a more stringent security infrastructure. Makes me think about an article I read where they referenced a bunch of major businesses and said their security budgets severely paled in comparison to their other expenses.

  21. George G

    Just in case you have not seen this :

    Neiman Marcus now says that 1.1 million cards were compromised, over several months.

  22. Leigh

    Who are the QSAs for Target and Neiman? This should be public, right?

Comments are closed.