While the Target case continues to fall under the microscope for legislators and security professionals, as far as Neiman Marcus goes, it appears more than one piece of malware is to blame for the that affected 1.1 million of its customers.
Following an investigation, security professionals found two pieces of malware “clandestinely inserted” into the company’s network resulted in the breach, according to a letter sent to the New Hampshire state attorney’s office by Tracy Preston, senior vice president and general counsel of the Neiman Marcus Group.
While the malware that scraped the card data ended loaded into systems as early as July 2013, a measure went in to the system much earlier and that allowed for the scraping malware to end up uploaded and function.
Thus far, up to 2,400 credit and debit cards involved in the breach ended up used for fraudulent transactions.
The malware ended up surreptitiously installed on Neiman Marcus’ system as early as July 2013 and was active through Oct. 30, 2013, said Neiman Marcus CIO Michael R. Kingston.
The retailer’s first hint of fraud came Dec. 13 when its merchant processor said Visa identified fraudulent purchases with cards used at a small number of stores. Over the next week, Visa and MasterCard sent more reports of cards fraudulently used after their holders visited stores.
Neiman Marcus hired a forensics firm Dec. 20 to investigate and notified federal law enforcement on Dec. 23, Kingston said. A second computer investigation consultant, Stroz Friedberg, ended up hired Dec. 29.
On Jan. 1, the forensics firm said it appeared to find malware that related to payment card transactions. Over the next two days, Neiman Marcus began planning how to notify affected consumers and financial institutions.
When it comes to its security measures, Kingston said Neiman Marcus’ systems exceed the Payment Card Industry’s Data Security Standard (PCI-DSS) requirements, a set of security best practices around handling card data.
PCI-DSS does not require encryption of network traffic within a retailer. Data from cards swiped at Neiman Marcus passes through a point-of-sale device’s memory, “then is transmitted through an encrypted tunnel to a central point on our network,” Kingston said.
“The data is then forwarded through a firewall to the merchant payment processor over a dedicated circuit,” he said.
Kingston described the malware used as “complex and its output encrypted.”
Its investigators analyzed the encryption algorithm and created a script that allowed them to decrypt the information it scrambled, which showed “payment card information had been captured,” Kingston said.
Security experts believe a variant of “Kaptoxa,” also called “BlackPOS,” ended up used against Target. Security researchers first spotted the malware in March 2013. It is not clear whether if Kaptoxa is the same malware used against Neiman Marcus.