1/10/2014 According to security researcher Brian Krebs the breach was uncovered in mid-December 2013 about the same time as the Target breach. According to a statement made today by Neiman Marcus they confirmed a security problem on January 1, 2014 which may have exposed an unknown number of customer cards.
Scale (number of compromises) and Scope (what was compromised) has not yet been determined. The U. S. Secret Service, the company’s card processor and other specialists are investigating.
As of 11pm Central 1/10/2014 there is no information about the breach available on the www.NeimanMarcus.com web site.
The original Krebs report
http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/
Statement emailed from Ginger Reeder, Vice President, Corporate Communications Neiman Marcus spokesperson to many news organizations including
http://www.npr.org/blogs/thetwo-way/2014/01/10/261474867/neiman-marcus-says-hackers-stole-credit-card-data
01/16/2014 NM statement
In the block quote below the underlining is ours.
As best we know today, social security numbers and birth dates were not compromised. Customers that shopped online do not appear to have been impacted by the criminal cyber-security intrusion. Your PIN was never at risk because we do not use PIN pads in our stores.
…
If you have made a payment card purchase at Neiman Marcus in the past year, we will be offering you one year of free credit monitoring service for an added layer of protection. Sign-up instructions for this service will be provided on this website by Friday, January 24, 2014.
from Karen Katz, President and CEO, Neiman Marcus Group
http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat
There are several Q&A and customer guidance sections at the above URL.
01/16/2014 NM breach started July 2013
A time stamp on the first tracked intrusion was in July 2013. Consumers were not informed until just after the holiday season. NM has not, at least publicly, given any estimate of how many consumers were affected or what was stolen. They have stated what was not taken (see 1/16 update above).
http://www.nytimes.com/2014/01/17/business/breach-at-neiman-marcus-went-undetected-from-july-to-december.html
01/22/2014 Scale & Scope
The scale of the breach has been estimated to be about 1.1 million cards. The scope of what was taken appears to exclude social security numbers, birthdays and personal identification numbers.
Here is the information we have learned so far, based on the ongoing investigations:
• Social security numbers and birth dates were not compromised.
• Our Neiman Marcus and Bergdorf Goodman cards have not seen any fraudulent activity.
• Customers that shopped online do not appear to have been impacted.
• PINs were never at risk because we do not use PIN pads in our stores.
…
It appears that the malware actively attempted to collect or “scrape” payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware.
From Karen Katz, President and CEO, Neiman Marcus Group on January 22, 2014
http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat
An article from Reuters
To sign up for the no-charge credit monitoring (the ProtectMyID service from Experian) see
http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat#12
See this from ProtectMyID.Com
01/25/2014 NM confirms Scale
Neiman Marcus released a statement that approximately 1.1 million individuals have been affected by the recent data breach to their system.
02/04/2014 Senate Hearing
There was a hearing today at the Senate Judiciary Committee hearing on Privacy in the Digital Age where Target and Neiman Marcus executives spoke. The Chairman, Senator Patrick J. Leahy of Vermont said:
“If consumers cannot trust businesses to keep their data secure our economic recovery is going to falter.”
Source for the quote and more see
http://www.nytimes.com/2014/02/05/business/target-to-speed-adoption-of-european-anti-fraud-technology.html