X

Neiman Marcus hack reportedly went undetected for months

The upscale department store identified a security breach in mid-December, but sources tell the New York Times that the hacker's trail leads back to July.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Neiman Marcus' downtown San Francisco store. Neiman Marcus

A security breach that yielded Neiman Marcus customers' payment card information went undetected for nearly six months, according a report in the New York Times.

The upscale department store revealed Friday that hackers may have stolen customers' credit and debit card information during an intrusion it detected in mid-December, but sources told the Times that the earliest time stamp on the breach was from July. During a call with credit card companies on Monday, the company acknowledged that the intrusion had been fully contained only a day earlier, three days after it was publicly revealed, sources told the newspaper.

Neiman Marcus did not immediately respond to a CNET request for comment but told Reuters that it only learned of the breach last month.

"We did not get our first alert that there might be something wrong until mid-December," Neiman Marcus spokesperson Ginger Reeder told Reuters. "We didn't find evidence until January 1."

The luxury chain has not revealed how many of its customers may be affected by the security breach but said no customer Social Security numbers or birthdates had been compromised. As with a recent high-profile breach at retailer Target, malware installed on in-store point-of-sale terminals appears to have been the avenue for data theft.

"Customers that shopped online do not appear to have been impacted by the criminal cyber-security intrusion," Neiman Marcus CEO Karen Katz said in a statement to customers. "Your PIN was never at risk because we do not use PIN pads in our stores."

In addition to disabling the malware, Katz said the company is beefing up its security and working with federal law enforcement officials and a forensic investigator to determine the source of the attack.