The Neiman Marcus Group disclosed some detail about its recent data breach. In a letter to its customers, Karen Kay the President and CEO, stated that malware had been secretly installed in its systems, and stole shoppers' payment information from July 16, 2013 to October 30, 2013. As many as 1.1 million shoppers were affected. The letter also said:
"... Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently."
The retailer notified thiese 2,400 breach victims on January 10. So far, only shopper's debit/credit card payment information has been stolen: card numbers, expiraton dates, and cardholders' names:
"Social security numbers and birth dates were not compromised. Our Neiman Marcus and Bergdorf Goodman cards have not seen any fraudulent activity. Customers that shopped online do not appear to have been impacted. PINs were never at risk because we do not use PIN pads in our stores."
Several state governments require companies to notify them about data breaches affecting their residents. In a breach notification letter (Adobe PDF) to the New Hampshire Department of Justice, the retailer provided more details about the breach:
"As a result of the investigation we initiated, using two of the leading computer forensice investigative firms, we learned for the first time on January 1, 2014 (preliminarily), and then more concretely on January 2 and 3, that sophisticated, self-concealing malware that can "scrape" (copy from temporary memory during execution of payment) payment card information ("the scraping malware") had been clandestinely inserted into our system. We later learned that this malware had been inserted in our system as early as July 2013... it appears that the scraping malware was active between July 16, 2013 and October 30, 2013... it appears that the scraping malware was not operating at all Neiman Marcus Group stores..."
So, the malware affected shoppers in several of the retailer's store chains. The usage of the term "system" seems to suggest that the retailer's network was infected with malware, not just point-of-sale (PoS) computers. It seems that multiple types of malware were involved in the breach:
"Separate, related malware that allows this scraping malware to function appears to have been clandestinely inserted earlier in 2013. Neiman Marcus was not aware of any of this hidden malware until it was discovered this month by our investigative experts..."
The retailer said it has postal (street) address information for only 31% of the 1.1 million shoppers, and it has identified 822 New Hampshire residents (with street addresses) affected by the breach. The Neiman Marcus Web site contains the breach letter and frequently-asked-questions; basic content for shoppers that have never experienced a data breach before.