Neiman Marcus computers were hacked as far back as July - NYT

Fri Jan 17, 2014 12:20am EST

Jan 17 (Reuters) - Hackers breached the computer networks of luxury department store chain Neiman Marcus as far back as July, an attack that was not fully contained until Sunday, the New York Times reported, citing people briefed on the investigation.

Neiman Marcus said on Friday that hackers may have stolen customers' credit and debit card information, the second cyber attack on a retailer in recent weeks.

Neiman Marcus had said it first learned in mid-December of suspicious activity that involved credit cards used at its stores.

However, in a call with credit card companies on Monday, Neiman acknowledged that the attack had only been fully contained a day earlier, and that the time stamp on the first intrusion was in mid-July, the paper said. ()

Neiman Marcus spokeswoman Ginger Reeder declined to comment to Reuters on the New York Times report about the July hack attack.

"We did not get our first alert that there might be something wrong until mid-December. We didn't find evidence until Jan. 1," Reeder told Reuters late on Thursday.

Neiman Marcus did not say how many credit cards were affected but said that customer social security numbers and birth dates were not compromised.

"Customers that shopped online do not appear at this time to have been impacted by the criminal cyber-security intrusion. Your PIN was never at risk because we do not use PIN pads in our stores," Chief Executive Karen Katz wrote in a letter to customers, a copy of which was posted on the company's website.

Katz said the company has taken steps to contain the situation, including working with federal law enforcement, disabling the malware and enhancing security tools.

The company is also assessing and reinforcing its related payment card systems, Katz said.

The U.S. government on Thursday provided merchants with information gleaned from its confidential investigation into the massive data breach at Target Corp, in a move aimed at identifying and thwarting similar attacks that may be ongoing.

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (1)
Rober1y wrote:
The NYT article suggests that NM knew of the breach back in July. This doesn’t make sense. NM doesn’t issue the cards, a bank does, even if it has NM’s name on the card. Charges go to the bank, not the retailer. NM would have no idea how the card was being used until the bank told it. If the NYT writer is suggesting that the banks held onto this information, that might be a story. However, the NYT writers lack of understanding of the process is apparent.

Jan 17, 2014 1:38pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.