[BreachExchange] Neiman Marcus: 2015 Breach Exposed Full Card Details

Tue Apr 18 19:14:13 EDT 2017

http://www.databreachtoday.com/neiman-marcus-2015-breach-
exposed-full-card-details-a-9846

Hackers aren't giving luxury retailer Neiman Marcus Group a break.

On April 14, the company disclosed to the California attorney general that
a December 2015 breach compromised more sensitive information than first
thought. It also disclosed new attacks from earlier this year that exposed
names, contact information, email addresses and purchase histories,
although the retailer says it repelled most of the attacks.

The dual notifications mark the latest problems for the company, which
disclosed in early 2014 that its payment systems were infected with malware
that stole 350,000 payment card details. Over the past few years, retailers
such as Target, Home Depot and others have battled to keep their card
payments systems malware-free (see Neiman Marcus Downsizes Breach Estimate).

The 2015 incident started around Dec. 26. In a notification to California
about a month later, the retailer said it was believed attackers cycled
through login credentials that were likely obtained through other data
breaches. A total of 5,200 accounts were accessed, and 70 of those accounts
were used to make fraudulent purchases.

Although email addresses and passwords were not exposed, the original
notification noted, access to the accounts would have revealed names, saved
contact information, purchase histories and the last four digits of payment
card numbers. The affected websites included other brands run by Neiman
Marcus, including Bergdorf Goodman, Last Call, CUSP and Horchow.

According to its latest notification, however, Neiman Marcus Group now says
full payment card numbers and expiration dates were exposed in the 2015
incident. It's unclear why this information has just come to light, and
efforts to reach company officials weren't immediately successful. The
retailer had hired outside forensic experts to investigate following the
breach.

In light of the new information, the company says it has notified companies
that process card payments "to ensure that any issues related to
potentially compromised cards can be addressed."

New Attacks

The latest attack disclosed by Neiman Marcus Group, which occurred around
Jan. 17, mirrors the one from December 2015. It affects the websites of
Neiman Marcus, Bergdorf Goodman, Last Call, CUSP, Horchow and a loyalty
program called InCircle.

Again, the company believes that attackers recycled other stolen
credentials in an attempt to see which ones still worked on its sites. It
appears that some of the credentials did unlock accounts. The breach
exposed names, contact information, email addresses, purchase histories and
the last four digits of payment card numbers. It didn't specify the number
of accounts affected.

The attackers were also able to access some InCircle gift card numbers, the
company says. Loyalty program credits and gift card details are highly
sought as the information can be monetized on cybercriminal forums.

"At present, all indications are that the InCircle and Neiman Marcus Group
database of customer email addresses and passwords remains safe and that
our cyber defenses repelled the majority of the attacks," according to its
data breach notice.

Mandatory Password Reset

The reuse of credentials remains a huge problem in securing online
accounts. Although web services often remind people to create unique
passwords for each online account, consumers often default to one or a few
passwords they've committed to memory. That means a breach at one site has
a knock-on effect for others.

Over the past year, the situation has become magnified by disclosures of
data breaches by companies including LinkedIn, Dropbox and many others. In
the cases of those companies, breaches that were detected several years
later were determined to have been actually much broader, and that data now
freely floats around in hacking forums (see 'Historical Mega Breaches'
Continue: Tumblr Hacked).

Web services can slow down hackers when suspicious activity is noticed,
such as rapid login attempts from a small range of IP addresses. Those
defensive systems can be fooled, however, by slowing down login attempts
and trying to plausibly geographically vary where those attempts originate.

For those affected by the January incident, Neimen Marcus Group is
enforcing a mandatory password reset. It's an action that's not undertaken
lightly for fear of alienating users, but it's a sign of how serious a
service feels the risk is to users or customers. The company also is
offering those affected a one-year subscription to an identity theft
service.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170418/366a367b/attachment.html>