Retail Breaches: Congress Wants AnswersNeiman Marcus Offers More Information; Target to Testify
On Jan. 22, Neiman Marcus responded to questions posed in a letter from Sen. Richard Blumenthal, D-Conn., about its breach. In is reply to the senator, the retailer reveals some significant new details.
For example, it says suspicious activity was first noted on Dec. 13, 2013, and that the "sophisticated malware" used in the attack evaded intrusion detection and "clandestinely" penetrated payments systems to "obtain credit card information." The retailer also says that a related malware attack, separate from the one that ultimately compromised its network, "appears to have been clandestinely inserted earlier in 2013."
Meanwhile, a Target official will testify before a House panel in early February at a hearing devoted to data breaches and their impact on consumers.
Also, the American Bankers Association and the National Retail Federation have each written to Congress, with the organizations doing a bit of finger pointing about the roles and obligations the banking and retail sectors have for ensuring security across the payments chain.
Neiman Marcus Outlines Attack
On Jan. 13, Blumenthal asked Neiman Marcus, whose breach is now believed to have exposed more than 1 million debit and credit cards, why it waited several weeks to report its breach. He also asked that Neiman Marcus provide free credit monitoring and identity theft insurance to consumers
In its response, and a notice to the public, Neiman Marcus said that it would provide two years of free credit monitoring as well as ID theft insurance to all consumers who had shopped in its stores between Jan. 1, 2013, and Jan. 1, 2014 (see When Did Neiman Marcus Breach Start?).
Neiman Marcus, in its letter to the senator, says it's "deeply disturbed by the apparently widespread and sophisticated efforts to break into the computer systems of retailers in the United States in an attempt to steal payment card information."
The company says it was "not aware of any of this hidden malware until it was discovered this month by our investigative experts." Most notably, Neiman Marcus says it was first notified Dec. 13 by its merchant processor that fraudulent transactions had been traced back to a small number of its retail locations. An internal investigation was then initiated to determine if systems had been compromised.
Later, alerts dating from Dec. 17 through Dec. 20 from Visa and MasterCard suggested that more than 200 cards with fraudulent transactions had been linked to Neiman Marcus. Some 122 compromised MasterCard cards had been used in one Neiman Marcus location, the retailer states.
On Dec. 23, Neiman Marcus contacted federal authorities, and on Dec. 27, the retailer agreed to work with federal investigators, according to its letter to the senator.
"The scraping malware was complex and its output encrypted," Neiman Marcus states. "Over the next several days, the investigative firms worked to decrypt the output file by first reversing the malware to determine the encryption algorithm and then creating a script that employed the attacker's algorithm to the encrypted data in order to decrypt it. It was only after this decryption process was concluded that we were able to determine that payment card information had been captured."
Blumenthal issued a statement saying he was "pleased Neiman Marcus responded promptly and thoroughly." He also noted: "The month required to uncover and confirm this sophisticated malware scheme left consumers severely at risk, but the company apparently moved diligently and quickly when its investigation warranted. This incident shows how innovative, malicious software with self-concealing, camouflaging features is difficult to successfully and rapidly investigate or stop."
Blumenthal adds that all retailers have an obligation to enhance protections against cyberattacks. "Consumers deserve and need these protections," he states.
Target to Testify
In other Congressional action, the House Commerce, Manufacturing and Trade Subcommittee has announced that a Target official , along with law enforcement officials, will testify at a hearing next month about the retailer's breach. The company reports that the incident likely exposed some 40 million credit and debit transaction details, including encrypted PINs, along with personally identifiable information about 70 million customers.
The subcommittee also issued a resource guide for consumers concerned about personal and financial information that may have been compromised as part of the Target breach or some other attack. The Data Breach Consumer Alert includes resources and information about how consumers can guard themselves against ID theft and what to do when fraudulent charges are discovered.
"By examining these recent breaches and their consequences on consumers, we hope to gain a better understanding of the nature of these crimes and what steps can be taken to further protect information and limit cyber threats," says Rep. Lee Terry, R-Neb., who chairs the commerce, manufacturing and trade subcommittee of the House Committee on Energy and Commerce.
Industry Groups Jump In
On Jan. 16, American Bankers Association President and CEO Frank Keating sent a letter to the Senate and House asking Congress to examine the specific circumstances surrounding Target's breach. In the letter, Keating acknowledges that it is the responsibility of retailers, banking institutions and all others who play a role in the payments chain to ensure ongoing security.
"As evidenced by the Target breach, criminal elements are growing increasingly sophisticated in their efforts to breach the payments system, requiring all participants in the payments system to invest the necessary resources to combat what is a dynamic and continually changing threat," Keating states. "Inter-industry squabbles, like those over interchange, have had a substantial impact on bank resources available to combat fraud."
The ABA, Keating says, is asking for more shared responsibility when retail breaches result in fraud.
"When a retailer like Target speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach," he says. "It is often the case that banks must explain to their customers what has happened without the bank knowing where the breach has occurred. Moreover, bankers have historically received little meaningful reimbursement for the costs they have incurred."
Within five days of the ABA sending its letter, the National Retail Federation responded. In its own letter to Senate and House leaders, Matthew Shay, the federation's president and CEO, notes that banking institutions and the government "have a critical role to play" when it comes to ensuring card security.
"For years the banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next generation Chip and PIN card technology for customers in Europe and dozens of other markets," Shay says. "Only by working together will consumers' financial data be protected from criminals."
The NRF supports the passage of the Cyber Intelligence Sharing and Protection Act, which would allow the commercial sector to more quickly share information about threats, Shay says.