Data breach could affect 1.1 million

By Hayley Tsukayama / The Washington Post

Neiman Marcus Group said Thursday that hackers who waged a nearly three-month attack on its systems evaded detection for months after stealing personal data from up to 1.1 million shoppers.

So far, about 2,400 credit cards have been used in fraudulent transactions linked to the breach at its Neiman Marcus and Last Call stores, the high-end retailer said in an statement posted on its website.

This is the most detailed accounting of the intrusion, which lasted from July to October of 2013, that the firm has released to date. The full scope of the breach remains under investigation, the company said.

Neiman Marcus, which operates five stores, including its namesake department store and Bergdorf Goodman, said online customers were not affected by the attack.

Sensitive information such as social security numbers, birth dates and PIN numbers were not taken in the cyberattack, the company said.

The scope of the Neiman Marcus attack is far more limited than a similar breach at Target, which suffered a December breach that may ultimately affect more than 100 million customers. Though Neiman Marcus says it has “no knowledge” of a connection to the Target breach, the incidents appear to be similar.

Karen Katz, the president and chief executive of Neiman Marcus Group, said in a statement to customers that criminals installed malicious software to collect payment information on the firm’s system for nearly three months. Despite the duration of the attack, the retailer said it was not notified of the problem until mid-December and did not confirm that there had been an attack until Jan. 1 — about six months after the initial attack. It notified consumers about a week later.

The company now is casting a wide net to notify customers about the breach. It is sending notifications to all customers for whom it has addresses or email address and who have shopped at its stores in the past year. It is also offering a year of free credit monitoring to consumers using Experian’s ProtectMyID program.