Holiday “hack attacks” on retailers including Neiman Marcus Group highlight how vulnerable companies are to the increasing threat of digital sabotage, a Dallas cyber-crime expert says. “I’m still amazed by how many CEOs treat this as a server or IT issue, instead of a boardroom issue,” said Matthew E. Yarbrough, president and managing partner of Yarbrough Law Group in Dallas. “CEOs need to be out in front … and ahead of the game. It’s a crisis-management issue at the highest levels.”
In a formal statement, Dallas-based Neiman Marcus said over the weekend that, in mid-December, its credit-card processor had disclosed “potentially unauthorized payment card activity” following customer purchases at Neiman Marcus Group stores. Spokeswoman Ginger Reeder wrote that the company was working with the U.S. Secret Service, a forensics firm and others to investigate the situation. On Jan. 1, she said, the forensics firm discovered evidence of a “criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result.” The luxury retailer has begun to “contain the intrusion,” Reeder added, and to notify some customers “whose cards we know were used fraudulently after making a purchase at our store.”
The Neiman Marcus disclosures followed news of another holiday cyber attack on Target stores, where credit card or personal data for more than 100 million customers may have been stolen by thieves in the weeks after Thanksgiving. Reuters also reported over the weekend that the networks of at least three other well-known U.S. retailers with outlets in malls may have been breached as well.
Yarbrough, a former assistant U.S. attorney who works with companies (but not Neiman Marcus) on cyber-crime issues, said that debit-card PIN numbers are especially attractive to criminals, who dispatch “mules” with these PINs to withdraw money from ATMs in small amounts. Yarbrough also noted that hackers like to trade information and brag about their exploits in internet chat rooms. “It’s no mistake that this happened to Target and Neiman Marcus back-to-back during the holidays,” he said.
To reduce their exposure to such attacks, Yarbrough added, his firm recommends that companies implement comprehensive strategic plans to address issues including potential theft and compromise. In an email exchange, Reeder of Neiman Marcus declined to say how many credit cards had been compromised by the holiday intrusion, how many fraud victims had been notified, or what sort of plan, if any, the company might have in place to mitigate digital sabotage.
“While we are in the midst of our forensic and criminal investigation, I cannot comment any further on what we have said in our statement,” Reeder wrote.