StorefrontBacktalk

Neiman Marcus Breach Follows Time-Honored Retail Breach Pattern: Waiting For Someone To Tell Them

Written by Evan Schuman
January 13th, 2014
When Neiman Marcus on Friday (Jan. 10) confirmed that its payment card systems had been breached in mid-December, it said it learned of the breach in the same way almost every breached chain had (with one exception, which will likely surprise you): when someone else told them.

"Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores," Neiman Marcus spokesperson Ginger Reeder said in an E-mailed statement. Sound familiar? The truth is that almost every breached chain learned of the situation not because the intrusion set off some alarm—or even that its IT people discovered the attack hours or days later during routine systems analysis—but when someone else noticed that a lot of fraudulent purchases were happening and that chain XX was the common point of purchase.

Sometimes this discovery happens by law enforcement investigating an unrelated incident or by a processor or even one of the card brands tracking the fraud. But why is it that the intrusions are almost never discovered? Interestingly enough, in the massive Albert Gonzalez attacks that hit a huge number of major chains (including JCPenney, Target, 7-Eleven, TJX, Sports Authority, BJ's Wholesale Club, OfficeMax, Boston Market, Wet Seal, Barnes & Noble, DSW, Forever 21 and Hannaford) some seven years ago, only one chain detected they were attacked, albeit not in time to stop it. Who was this IT vigilant chain? Target. (How's that for irony?)

(By the way, kudos to Neiman Marcus for having the common decency to keep this breach—which the chain said it learned of in mid-December—to itself until mid-January and to only reveal it then when reporters started asking about it. If they want to inspire confidence among the customers who love the chain's white-glove customer service, they found the perfect way to not do it.)

In security circles, there are two very distinct types of attacks: malicious and clandestine. Malicious is when the attacker's goal is to hurt the victim, perhaps by shutting down an E-Commerce site, changing what the site displays or deleting/changing critical customer or other corporate information. If the victim doesn't know about a malicious attack when it's happening, someone is really not paying attention.

But a clandestine attack is very different. Here the goal is to steal information by copying the information and stealing the copy. If the thieves do their jobs properly, the retailer victim would see nothing unusual to trigger a probe. Every major retail data breach—the kind where the chain eventually has to admit that millions of payment cards are now in the hands of bad guys—has been of the clandestine type.

To be fair to IT security, a huge number of attacks never get anywhere and are blocked out by highly efficient firewall and various protection efforts. Just like national law enforcement, they only get blamed for the handful of successful attacks and they can't get credit for the thousands that they successfully prevent. (Necessary secrecy is much of the reason.)

Also to be fair to IT, the typical heads up to an attack is found in traffic logs—which is the first thing the thieves manipulate, to hide their tracks.

That all said, why is that IT rarely detects these high-profile attacks, even after the fact? The standard retail argument has been that it's the payment card rules—dictated by the card brands (Visa, MasterCard, Amex, etc.)—that forces them into this unacceptable situation. That's behind much of the interest in mobile payment and even a souped-up version of EMV—OK, after lowering interchange fees. Retailers generally do not like being forced to house all of this payment card data, which serves them little good other than making them extremely attractive targets to the world's best cyberthieves.

It's been a valid question to ask for years. Perhaps it's now time to insist on some answers.