Neiman Marcus released a statement late Friday admitting that it's known since mid-December about a security breach in its customer credit card data. The Secret Service and a private forensics firm are investigating, and it appears that transactions on Neiman Marcus’ website were not affected. But it is still unclear how many card numbers or how much customer data was stolen.
The situation is especially concerning given recent news that 40 million credit and debit card numbers, and personal information from 70 million people, was stolen from Target. Though there is currently no evidence that the Neiman Marcus and Target hacks are related or were perpetrated by the same people, their close timing in mid-December could indicate a connection.
Reuters reported Monday morning that at least three other prominent U.S. stores, possibly outlet mall chains, recently had credit card data hacked. Security journalist Brian Krebs told NPR’s Planet Money recently that in the last three years, “I would say things have gotten bigger, the bad guys are getting smarter and more efficient at moving this information once it's stolen.”
Though it is unclear how much of this is related, “law enforcement sources” told Reuters that they are looking into major Eastern European hackers who have been responsible for a significant portion of cybercrime in the last 10 years.
The growing problem is also raising questions about whether banks or retailers are responsible for costs when a security breach requires action to protect consumers and stop unauthorized spending. The debate is prompting plans for a Senate banking committee hearing in the next few weeks.
Banks and retailers are pointing the finger at each other. But both need to take steps toward better security. For instance, often people who buy stolen card numbers fabricate dummy cards with those digits to use for in-person transactions. Security features that made cards significantly harder to fake—like adding internal chips on which identifying information is encrypted or requiring PIN numbers for all purchases—could deter criminals from that approach. And if retailers had better security on their internal servers, keeping card numbers and other sensitive data encrypted at almost all times, hackers would have less to gain from infiltrating corporate databases.
Short of completely eliminating the problem, of course, the goal should be reducing the likelihood of these enormous jackpots: Hackers shouldn't be able to get 40 million card numbers just by accessing information from one large retailer. Repeated “success” makes this particular type of cyber crime increasingly appealing, which will lead to more incidents if things don’t change.