New details have come to light about the Neiman Marcus security breach, revealing that over 1.1 million consumers may have been victimized by a scheme that appears strikingly similar to the attack that besieged as many as 100 million Target shoppers last month.
Investigators have not revealed if the same cybercriminals are suspected in the Neiman Marcus breach as the loose band of Eastern European hackers suspected in Target's theft, reports The New York Times. However, "security specialists working with the authorities have said that the hackers were considering several major retailers as potential targets."
In both cases, RAM-scraping malware appears to have been installed on point-of-sale terminals using a Trojan tool in an operation that investigators are calling Kaptoxa, reports Wired. "The code is based on a previous malicious tool known as BlackPOS that is believed to have been developed in 2013 in Russia."
In an apology on Neiman Marcus's website, president and CEO Karen Katz disclosed that hackers attempted to "scrape" credit card data last year between July 16 and Oct. 30. To date, approximately 2,400 cards had been used fraudulently, she said.
However, Katz assured that no Social Security numbers or birth dates were comprised; no Neiman Marcus or Bergdorf Goodman cards had been used fraudulently; online shoppers were not affected; and PINs were not at risk. Like Target, Neiman Marcus will offer one year of free credit monitoring and identity-theft protection to anybody who shopped with the store in the last year.
According to the Times, this rash of breaches has reignited discussion that the U.S. should adopt the same EMV credit card technology that is pervasive throughout the rest of the world, in which cards have a small chip that generates a new code for every transaction.
The only hitch is, "retailers and card issuers have worried that the cost of adopting the technology, usually estimated at $15 billion to $30 billion, would be more than the cost of the fraud it prevented."