The Neiman Marcus hack saw potentially 1.1m credit card details stolen, the high-end retailer has admitted, though claims no online customers were impacted nor PINs stolen. "The malware actively attempted to collect or "scrape" payment card data from July 16, 2013 to October 30, 2013" Neiman Marcus president and CEO Karen Katz wrote in an open letter to customers, though so far credit card companies have said only around 2,400 cards have actually seen fraudulent activity as a result. Still, the retailer has offered a make-up deal to anyone who shopped there between January 2013 and 2014.
That consists of a year's-worth of credit monitoring and identity-theft protection. Neiman Marcus will be notifying by mail and email any customers for whom it has contact details, but anybody else who shopped there in that period can get the same deal.
The fact that Neiman Marcus doesn't have PIN pads in its stores means that customers' PIN codes weren't harvested. The retailer is yet to conclude how many stores were affected, while Katz says that "to our knowledge" the malware did not affect online sales.
Now, Neiman Marcus is reviewing its payment card systems and "reviewing our intrusion detection systems and firewalls" so that another hack doesn't take place. Unfortunately, questions still remain around how the issue could have gone unnoticed for six months.
Criminal and forensic investigations continue to try to identify the source of the hack.