Neiman Marcus has determined that a data breach extending from July until October of 2013 exposed as many as 1.1 million payment cards to malware, and that 2,400 cards have been used fraudulently as a result.
Neiman Marcus acknowledged the breach two weeks ago and made further details available in a statement this week.
"While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system," Neiman Marcus wrote. "It appears that the malware actively attempted to collect or 'scrape' payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware. To date, Visa, MasterCard, and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently."
The New York Times reported that "the malware installed on terminals in Neiman Marcus stores seems to be the same malware that infiltrated Target’s systems." The Target breach was much bigger, exposing credit and debit card information for about 40 million customers and a separate set of personal information on an additional 70 million customers.