Holiday cyberattack hit 3 retailers with ‘outlets in malls,’ Neiman Marcus & Target

Target, Neiman Marcus and “at least three other well-known U.S. retailers” with “outlets in malls” were also hacked over the holiday shopping season. The hacks have certainly caught the attention of Congress.

“When a number equal to nearly one-fourth of America’s population is affected by a data breach, it is a serious concern that must be addressed,” said Senator Edward J. Markey in a statement on Friday. “These findings only underscore the need for retailers across industries to make their security safeguards iron-clad to ward off hackers prowling for Americans’ personal information.”

On Friday, Target admitted that not only did hackers break in and steal about 40 million customer debit and credit card records, but also nabbed the names, phone numbers, mailing and email addresses for up to 70 million customers. According to Target’s newest statement:

As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.

Neiman Marcus admits hackers stole customers’ credit card data

Prodded by breach inquiries from security blogger Brian Krebs, retailer Neiman Marcus admitted:

Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.

Neiman Marcus then tweeted, “We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores.”

3 more U.S. retailers with ‘outlets in malls’ also hacked

Reuters reported that “breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target.” Unnamed sources familiar with the hacks told Reuters “that investigators believe the attackers used similar techniques and pieces of malicious software to steal data from Target and other retailers.”

One of the pieces of malware they used was something known as a RAM scraper, or memory-parsing software, which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text.

Avivah Litan, a security analyst for Gartner research, said, “Target was not the only retailer who got hit, but they got hit the biggest.” She was told about “a separate set of breaches, dating back no more than a few months before the November 28 Thanksgiving Day start of the holiday shopping season, from a forensics investigator.” Litan added, “Investigators believe that the early series of attacks on retailers staged before late November were mostly used as trial attacks to help the hackers perfect new techniques they then used against Target, stealing payment cards at unprecedented speed.”

Law enforcement sources suspect the attackers are cybercrime “ring leaders from Eastern Europe.”

Sen. Deb Fischer cited the Target and mobile application Snapchat hacks in a letter to the leaders of the Senate Commerce Committee. She called those breaches a sign that “our nation’s entire data security framework is in desperate need of revamping.”

Updated Personal Data Privacy and Security Act bill

After the Target hack, Sen. Patrick Leahy, chairman of the Senate Judiciary Committee, reintroduced a bill that would make it a crime to cover up data breaches and “imposes a prison term of up to five years and/or a fine on any individual who has knowledge of and intentionally and willfully conceals a security breach and such breach results in economic harm of $1,000 or more to any individual.” The updated Personal Data Privacy and Security Act legislation would force businesses to disclose data breaches within two months after being discovered.  

“This is a comprehensive bill that not only addresses the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place,” said Sen. Leahy.

Although “a congressional update of data breach laws is overdue,” if done incorrectly then it “could unintentionally weaken stronger state statutes that are already on the books if a federal standard is written to preempt those laws.” EPIC executive director Marc Rotenberg said, “Sen. Leahy’s bill is a good starting point, though the preemption provision is a problem as it will remove stronger state consumer laws. That provision should be changed.”

Like this? Here’s more posts:

• CES 2014: New gadgets help kids spy on mom and programmable Mom spy on everyone
• Bizarre gadgets at CES 2014 that monitor your every move
• How to customize Windows 8.1 Start screen and keyboard shortcut tricks
• NSA exploits targeting Windows
• Skype hack gives Microsoft a black eye, shows why NOT to reuse passwords
• 300-pound crime-predicting mobile robot: Crime-preventing precog or ‘R2D2’s evil twin’?
• Porn-surfing corporate bosses infect networks, then keep data breaches a secret
• How to change Windows 8.1 to local account with no Microsoft email account required
• Malicious ads served to hundreds of thousands of Yahoo.com visitors
• Apps for that: Virtual keys, internet-connected doorbells, all-in-one home security
• Privacy plays an important part in cloud predictions for 2014

Follow me on Twitter @PrivacyFanatic