As to the additional breaches - several more yet to be revealed and the Target hack attack grow larger.....
http://ca.news.yahoo.com/exclusive-more-well-known-u-retailers-victims-cyberattacks-024345910--sector.html
http://news.yahoo.com/target-says-data-breach-hit-70-mn-customers-150615694.html
http://www.infowars.com/neiman-marcus-is-latest-victim-of-data-breach/
Luxury merchant Neiman Marcus confirmed Saturday that thieves may have stolen customers’ credit and debit card information and made unauthorized charges over the holiday season, becoming the second retailer in recent weeks to announce it had fallen victim to a cyber-security attack.
http://ca.news.yahoo.com/exclusive-more-well-known-u-retailers-victims-cyberattacks-024345910--sector.html
Exclusive: More well-known U.S. retailers victims of cyber attacks - sources
By Jim Finkle and Mark Hosenball
BOSTON/WASHINGTON (Reuters) - Target Corp and Neiman Marcus are not the only U.S. retailers whose networks were breached over the holiday shopping season last year, according to sources familiar with attacks on other merchants that have yet to be publicly disclosed.
Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target, according to the people familiar with the attacks. Those breaches have yet to come to light. Also, similar breaches may have occurred earlier last year.
The sources said that they involved retailers with outlets in malls, but declined to elaborate. They also said that while they suspect the perpetrators may be the same as those who launched the Target attack, they cannot be sure because they are still trying to find the culprits behind all of the security breaches.
Law enforcement sources have said they suspect the ring leaders are from Eastern Europe, which is where most big cyber crime cases have been hatched over the past decade.
Only one well-known retailer, Neiman Marcus, has said that they too have been victim of a cyber attack since Target's December 19 disclosure that some 40 million payment card numbers had been stolen in a cyber attack. On Friday, Target said the data breach was worse than initially thought.
An investigation found that hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers and email addresses. Neiman Marcus said it was not sure if the breach was related to the Target incident.
Most states have laws that require companies to contact customers when certain personal information is compromised. In many cases the task of notification falls on the credit card issuer.
Merchants are required to report breaches of personal information including social security numbers. It was not immediately clear if that was the case with the retailers who were attacked around the same time as Target.
The Secret Service and Department of Justice, which are investigating the Target breach, declined to comment on Saturday.
SCRAPING MEMORY
Target has not disclosed how the attackers managed to breach its network or siphon off some of its most sensitive data.
The sources who spoke to Reuters about the breaches said that investigators believe the attackers used similar techniques and pieces of malicious software to steal data from Target and other retailers.
One of the pieces of malware they used was something known as a RAM scraper, or memory-parsing software, which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text, the sources said.
While the technology has been around for many years, its use has increased in recent years as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.
Visa Inc issued two alerts last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware.
The alerts, published in April and August, provided retailers with technical details on how the attacks were launched and advice on thwarting them.
A Visa spokeswoman declined comment on the reports, which did not identify specific victims.
It was not clear whether Target's security team had implemented the measures that Visa had recommended to mitigate the risks of being attacked.
Yet a law enforcement source familiar with the breach said that even if the retailer had implemented those steps, the efforts may not have succeeded in stopping the attack.
That is because the attackers were more sophisticated than the ones in the previous attacks described in the Visa alerts, according to the source. The source asked not to be identified because they were not authorized to discuss the matter publicly.
DELAYED DISCLOSURE
Retailers are often reluctant to report breaches out of concern it could hurt their businesses. Target only acknowledged its 2013 attack after security blogger Brian Krebs reported the breach, prompting inquiries from journalists and investors.
Neiman Marcus said an outside forensics firm discovered evidence on January 1 that indicated the retailer had been the victim of a cyber attack. It disclosed the breach nine days later, after another inquiry from Krebs, who was following up on reports about a surge in fraudulent charges traced to the retailer.
Target and J.C. Penney Co Inc. waited more than two years to admit that they were victims in 2007 of notorious hacker Albert Gonzalez, who was accused of masterminding the theft and reselling of millions of credit cards and ATM numbers.
During his trial the companies were represented by lawyers who did not identify their clients as Target and J.C Penney.
Doug Johnson, vice president of risk management policy with the American Bankers Association, said banks and credit card firms like Visa are forbidden from naming merchants that have been breached, unless they disclose it themselves.
"It is really frustrating to the bank and also the customer," Johnson said.
One of the sources who told Reuters about the recent rash of attacks said the memory parsing malware cited in the Visa reports was among the tools that the hackers had used, but said they used other techniques as well.
Target spokeswoman Molly Snyder said the retailer is not commenting on the company's investigation of the breach.
"This continues to be an active and ongoing investigation. It would be inappropriate to discuss details at this point."
Avivah Litan, a security analyst for Stamford, Connecticut -based Gartner information technology research firm, said she learned about a separate set of breaches, dating back no more than a few months before the November 28 Thanksgiving Day start of the holiday shopping season, from a forensics investigator. She declined to provide his name.
"Target was not the only retailer who got hit, but they got hit the biggest," Litan said.
Investigators believe that the early series of attacks on retailers staged before late November were mostly used as trial attacks to help the hackers perfect new techniques they then used against Target, stealing payment cards at unprecedented speed, Litan said.
Chris Gray, director of Denver, Colorado -based Accuvant information security firm's risk and compliance practice, said that sophisticated cyber crime groups do that because they only have once chance to get it right before victims catch on.
"You want to test it and make sure it works," Gray said. "Then you push it out at the appropriate time and do as much damage as you can."
http://news.yahoo.com/target-says-data-breach-hit-70-mn-customers-150615694.html
New York (AFP) - Giant US retailer Target said Friday that up to 110 million customers have had their personal data stolen in a data breach, sharply raising its initial estimate.
The number of people affected represented one in three Americans, and the scope of the information stolen was much broader than originally thought, Target admitted.
Target initially reported on December 19 that payment card data of some 40 million customers had been obtained by hackers during the year-end holiday shopping season.
The stolen information included credit and debit card data, customer names and PIN (personal identification data) numbers.
On Friday, Target said that its investigation had revealed that hackers also stole a second batch of data that included names, mailing addresses, phone numbers or email addresses for up to 70 million people.
"This theft is not a new breach; these are two distinct thefts as part of the same breach," a Target spokesman told AFP.
"The 70 million guests impacted by this new development are separate from the 40 million number that was previously shared."
Target chief executive Gregg Steinhafel said the company was "truly sorry" for the data breach.
Target said consumers would have "zero liability" due to any fraudulent charges arising from the theft. It offered one year of free credit monitoring protection.
Target is cooperating with an investigation led by the Justice Department and Secret Service. A group of state attorneys general have launched a parallel investigation aimed at protecting victims.
New York Attorney General Eric Schneiderman called the new disclosure "deeply troubling."
"Consumers in New York and around the country expect and deserve companies that protect their personal information when they shop on their websites and in their stores," Schneiderman said in a statement.
Target said the news of the data theft, which came at the peak of the Christmas shopping season, impacted sales in its stores.
It said it now expects fourth-quarter comparable store sales to decline 2.5 percent from its prior forecast of flat sales.
The company said it may need to take a charge for expenses related to the data breach to cover potential costs, including reimbursements for credit card fraud, liabilities from civil litigation, government investigations and enforcement proceedings.
http://www.infowars.com/neiman-marcus-is-latest-victim-of-data-breach/
Associated Press
January 11, 2014
January 11, 2014
Luxury merchant Neiman Marcus confirmed Saturday that thieves may have stolen customers’ credit and debit card information and made unauthorized charges over the holiday season, becoming the second retailer in recent weeks to announce it had fallen victim to a cyber-security attack.
The hacking, coming weeks after Target Corp. revealed its own breach, underscores the increasing challenges that merchants have in thwarting security breaches.
Ginger Reeder, spokeswoman for Dallas-based Neiman Marcus Group Ltd., said in an email Saturday that the retailer had been notified in mid-December by its credit card processor about potentially unauthorized payment activity following customer purchases at stores. On Jan. 1, a forensics firm confirmed evidence that the upscale retailer was a victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result.
http://arstechnica.com/security/2014/01/neiman-marcus-suffers-breach-endangering-customer-credit-card-data/
Hackers pilfer credit card data from Neiman Marcus customers
Luxury retailer now is not sure how many customers were affected by the hack.
by Megan Geuss - Jan 11 2014, 6:40pm EST
HACKING IDENTITY
23
On Friday evening, luxury retailer Neiman Marcus admitted that it had suffered a data breach exposing customers' credit card information and that it was working with federal investigators to find out the extent of the damage. The company told security writer Brian Krebs that it was not sure how many customers were affected or now the hack was caused.
FURTHER READING
CARDS STOLEN IN MASSIVE TARGET BREACH FLOOD UNDERGROUND “CARD SHOPS”
Data sold in black markets for as much as $100 per card, KrebsonSecurity says.
Krebs, who appears to have unearthed news of the hack first, explains: “Earlier this week, I began hearing from sources in the financial industry about an increasing number of fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase among the compromised cards was Neiman Marcus.”
For its part, Neiman Marcus said in an official statement that its credit card processor alerted the chain in mid-Decemeber about “potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.”
The retailer then contacted the authorities and hired a forensics firm to investigate. “On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result,” Neiman Marcus continued. “We have begun to contain the intrusion and have taken significant steps to further enhance information security.”
The company also tweeted late last night, “We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores.”
The breach comes only a few weeks after hackers made Target, well, a target, stealing data on 70 million customers and stealing information on some 40 million credit cards. The two hacks have not been linked in any way, although the timing of the two hacks is similar.
http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/
Hackers Steal Card Data from Neiman Marcus
Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards.
Earlier this week, I began hearing from sources in the financial industry about an increasing number of fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase among the compromised cards was Neiman Marcus.
Today, I reached out to Neiman Marcus and received confirmation that the company is in fact investigating a breach that was uncovered in mid-December.
Neiman Marcus spokesperson Ginger Reeder said the company does not yet know the cause, size or duration of the breach, noting that these are details being sought by a third-party forensics firm which has yet to complete its investigation. But she said there is no evidence that shoppers who purchased from the company’s online stores were affected by this breach.
The entirety of the company’s formal statement is as follows:
“Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.”
The disclosure comes as many in the retail sector are seeking more information about the causes of the breach at nationwide retail giant Target, which extended from around Thanksgiving 2013 to Dec. 15, and affected some 40 million customer debit and credit cards.
Target released additional details about the breach today, saying hackers also compromised the names, mailing addresses, phone number and email addresses for up to 70 million individuals. But Target has so far not publicly released information that would help other retailers determine whether their systems may have been hit by the same attackers.
Neiman Marcus’s Reeder said the company has no indication at this time that the breach at its stores is in any way related to the Target attack. Still, the timing of the discovery of the Neiman Marcus incident — mid-December — roughly corresponds to the discovery of the Target breach. I will have more on this developing story if additional details become available.
No comments:
Post a Comment