Now Neiman Marcus Customers' Credit Cards Have Been Hacked

Illustration for article titled Now Neiman Marcus Customers' Credit Cards Have Been Hacked

Target's not alone in its credit card hacking woes: this week, high-end retailer Neiman Marcus acknowledged that credit and debit cards used in its brick-and-mortar stores have been compromised. Shopping sure seems dangerous lately.


In a statement to security journalist Brian Krebs, a Neiman Marcus spokesperson says the retailer was alerted about a possible breach in mid-December. The size, duration and cause of the compromise are not known, but the company is working with a third-party forensics firm and the U.S. Secret Service to investigate the hacking.

As of right now, there is no evidence that the Target and Neiman Marcus hacks are related, and Neiman Marcus says that online shoppers were not affected in the breach. Still, if you used a credit or debit card at either retailer, it might be time to examine your statement, and if your card has been compromised, read up on what you should do next. [Krebs on Security]

Image: AP



I work in IT, and I see the reasons for these types of breaches all the time. And the main factor is, money.

"No shit, Sherlock", you're thinking.

But, it's not exactly what you think. Sure, the people stealing the info want money, but that's not the money I'm talking about. The money I'm referring to is the 'Bottom Line'.

Companies and individuals come to us and want us to give them options for security. So we do. 95% of the time, people go with the cheapest solution we offer, because it's 'good enough for what I need.'.

It's like people who use AVG or Avast for their anti-virus. Don't be surprised when you get infected. You only get what you pay for. Especially when it comes to security.

**Shut up!** I know some of you use AVG or Avast or some other free solution and have never been infected. Yay for you. Our company sees about 30 infected machines a week and most have only AVG or Avast as their protection. the lesson to be learned is, if you are aware and careful, AVG or Avast will work for you. but, most people aren't as savvy with computers as you are. Your smug attitude about how AVG or Avast have never failed you is like your cars mechanic pulling a smug attitude with you because, "What? You don't know how to change a transmission?" So, keep it to your self.

Anyway, as I was saying, security costs money. Tens of dollars for a consumer, hundreds or thousands for a small business, and hundreds of thousands to several million dollars for a company like Target or Neiman Marcus. The people who control the money blanche at those figures. So, they cut corners.

Now, I don't know how much these guys spent on their network security. but, I'd be willing to bet a lot of their decisions on how to set it all up were based on cost. the cost of using 128 bit encryption is less than 256 bit, which is less than 512 bit.

Also, the people running the network factor into the equation. The better they are, the more they will need to be paid. And yet, a lot of corporations balk at paying higher salaries to IT staff. Again, you get what you pay for.

Not every corporation decided to go cheap. Some will take the best option regardless of the cost. And, sometimes, even then they will become a victim of something like this. but, not as often.

Personally, I'm not surprised at all about these breeches. Some hackers see tough security and move to the next target, while some see it as a challenge, and will work to hack it no matter how tight security is. If someone really wan't into a network, they will get in.

What makes me upset about breeches like these is the fact that they wait as long as they can before informing the people whose data was affected. If you detect a breech, issue a press release. Say something like:

"Our networks have been compromised. At this time, we don't know the extent of the breech, but we are informing the public so they can be aware and take any steps they feel are needed to protect themselves, like monitoring their credit cards for unauthorized charges. As soon as we know more, we will keep you informed."

They might not be giving out any real information, but, they are letting people know as soon as they can, instead of hiding it.