“Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores," the company stated for the press.
"We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation."
The evidence that the company was the victim of an intrusion was discovered by the the forensics firm on January 1, and the company immediately took steps to contain the intrusion and to enhance information security.
"The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store,” they added.
In the meantime, Reuters reported that according to unnamed sources familiar with the Target and Neiman Marcus attacks, three other US retailers with mall outlets have been breached during the holidays in a similar manner.
Apparently, law enforcement believed that the attackers come from Eastern Europe, and might be behing all these breeches, but that theory is yet to be proven.
As a reminder: Target has first notified the public about attackers managing to compromise Point-of-Sale terminals at a considerable number of their brick-and-mortar shops all over the US, which may have resulted in the theft of credit card information of over 40 million customers. Then, some 20 days later, they revealed that personal information of over 70 million customers has been also compromised.
Not a lot of detail about the Target breach has been shared publicly, but the company's CEO Gregg Steinhafel has mentioned on Sunday that they found malware installed on their point-of-sale registers, giving rise to the speculation that RAM scraping malware might have been used to capture unencrypted card data.