US-based luxury retailer Neiman Marcus has admitted that much like Target in December, their payment systems and processing software had been cracked over the course of several months in 2013, by an as-of-yet unknown criminal organization based somewhere out of Russia.
Since the breach, around 2,400 cards have had fraudulent purchases appear on their monthly statements, ranging from tiny transactions on websites like Amazon, to large buys from brick and mortar retailers like Best Buy.
From July 18th to October 30th of last year, a similar program to the likes of what we saw in the Target breach was running in the background of the POS machines designed to process credit and debit card purchases at the high end chain. As of right now no firm connections have been made between the two hacks, however an increase in the frequency and scope of these campaigns suggests they are being carried out by members of the same criminal organizations.
Despite the malware’s ability to stay undetected for almost four months, it’s the fact that experts at the store’s headquarters didn’t discover the problem until January of 2014 that brings the most cause for concern in the netsec community.
“While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system. It appears that the malware actively collected or “scraped” credit card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have potentially been visible to the malware.”
If retailers don’t find a way to prevent these sort of problems from occurring on individual cards, how will we be able to trust technologies that are currently in the infant stages of being rolled out in the near future? Companies like Coin and the Google Wallet service suddenly become far more valuable (and vulnerable) targets, with one card linking all of our accounts to a single source.
If we plan on moving toward that direction over the next few years, retailers and the companies who protect their payment processing services are going to need to step up to the plate to assure the public that their systems are safe for us to use, and trustworthy enough to handle our sensitive financial data in the years to come.