The theft of consumer data from Neiman Marcus appears far deeper than had been disclosed originally, with the company now saying that hackers invaded the luxury retailer’s systems for several months in a breach that involved at least 1.1 million credit and debit cards.
In a statement posted on its website Wednesday night, Neiman Marcus said that malware had been installed in its system and had pulled payment data off cards used from July 16 to Oct. 30. MasterCard, Visa, and Discover have told the company that about 2,400 cards used at Neiman Marcus and its Last Call outlet stores have since been used fraudulently.
Federal investigators, including the Secret Service and the FBI, have been trying to determine whether the extensive security breach at Target and the one at Neiman’s are related. Investigators and security experts have described a loose band of hackers from Eastern Europe as the likeliest suspects in the Target theft. Security experts working with the authorities have said that the hackers were eyeing several major retailers as potential targets.
Neiman Marcus Group, which also owns Bergdorf Goodman, said it would notify all customers who shopped in those stores between January 2013 and January 2014 — and for whom the company has a mailing or e-mail address. They will offer one free year of credit monitoring to those shoppers.
The company was first told that there may have been a breach in mid-December. The company informed federal law enforcement, and a forensic investigation found evidence of the breach Jan. 1, Neiman said.
The week before Christmas, Target announced that 40 million of its customers had had their credit and debit card information compromised. Those customers shopped in its stores between Nov. 27 and Dec. 15. Then in January, Target said that another batch of data, personal information such as addresses and phone numbers, had been compromised — leaving a group of 70 million of its customers exposed. Malware installed on point-of-sale systems snatched customer data off the cards’ magnetic strip.
Neiman said it had no knowledge of a connection between the two attacks. Social security numbers, PIN data, and birth dates were not compromised, the company said.