Beth Belton, USA TODAY
Neiman Marcus confirmed Saturday that thieves stole some of its customers' payment card information and made unauthorized charges over the holiday season.
It joins Target as the the second major retailer in recent weeks to fall prey to a cyber-security attack. Late Friday night, independent security researcher Brian Krebs was cited by CNET.com and a NPR blogger as discovering the latest breach.
The attacks underscore increasing challenges merchants face thwarting security threats. Neiman Marcus didn't say whether its breach was related to the massive data theft at Target, but some security experts believe they could be part of the same scam.
Ginger Reeder, spokeswoman for Dallas-based Neiman Marcus, said in an email to The Associated Press Saturday that the retailer had been notified in mid-December by its credit card processor about potentially unauthorized payment activity following customer purchases at stores.
On Jan. 1, a forensics firm confirmed evidence that the upscale retailer was a victim of a criminal cyber-security intrusion and that some customers' credit and debit cards were possibly compromised as a result.
Jordy Leiser, CEO of customer service rating firm StellaService, said Saturday that retailers' outreach to their customers after a breach is discovered is crucial when shoppers are wondering whether their personal data may be at risk.
"All of this falls under a big umbrella (for retailers) of having a customer service disaster recovery plan in place ... It's not just about investigating the breach but also about making sure customers can get the information they need," Leiser said.
Reeder wouldn't estimate how many customers may be affected but said the merchant is notifying customers whose cards it has now determined were used fraudulently. Neiman Marcus, which operates more than 40 upscale stores and clearance stores, is working with the Secret Service on the breach, she told the AP.
"We have begun to contain the intrusion and have taken significant steps to further enhance information security," Reeder wrote.
Robert Siciliano, a security expert with McAfee, a computer security software maker, says it is possible Neiman Marcus doesn't yet know the extent of the breach. He says he believes that the two thefts were likely committed by the same organized group.
"It's a knee-jerk reaction that the security industry has right now," he added.
Target disclosed Friday that its massive data theft was far more extensive and affected millions more shoppers than the company announced in December. The nation's second-largest discounter said hackers stole personal information - including names, phone numbers, email and mailing addresses - from as many as 70 million customers as part of a data breach it discovered last month.
Minneapolis-based Target announced Dec. 19 that some 40 million credit and debit card accounts had been affected by a data breach that happened from Nov. 27 to Dec. 15 - just as the holiday shopping season was getting into gear.
According to new information gleaned from its investigation with the Secret Service and the Department of Justice, Target said Friday that criminals also took non-credit card related data for some 70 million customers. Some overlap exists between the 70 million individuals and the 40 million compromised credit and debit accounts, Target said.
The Target attack could be the largest data breach on record for a retailer, surpassing an incident uncovered in 2007 that saw more than 90 million records stolen from TJX.
On Friday, Target cut its earnings outlook for the quarter that covers the crucial holiday season and warned that sales would be down for the period.