At a glance.
- May 2020 data breach at Neiman Marcus comes to light.
- Royal Gibraltar Police tighten data control policies after losing a physical list of officers' data.
Neiman Marcus discloses data breach.
Retailer Neiman Marcus yesterday disclosed that it had alerted some 4.6 million customers of a data breach that affected their personal information, Reuters reports. The breach, which occurred in May of 2020, affected about 3.1 million paycards, 85% of which appear to have been either invalid or expired. The retailer said that it believed its Bergdorf Goodman and Horchow units to have been unaffected. Chain Store Age says it's unknown how the attackers gained access in the first place.
The lag between the incident and its discovery is striking. Neiman Marcus's disclosure page says the store learned its data had been compromised only this past month a good year-and-a-half after it took place. Investigation continues.
Quentin Rhoads, Director of Professional Services at CRITICALSTART shared some observations about the criminals' motive and the difficulties of further investigation:
"It is also not uncommon for attackers to sell their access to a breached company as part of their revenue generating plan which means there might be a chance attackers still have access. Even though most of the credit cards and gift cards stolen don’t contain data like pins and CVVs, and are probably expired, the theft of usernames and passwords is concerning. This data more than likely would be sold to other attackers who can use this for crimes such as identify theft in conjunction with the other personal information stolen.
"The amount of delay from the breach also adds a lot of complexity in discovering exactly what happened. More than likely, critical evidence is no longer present in their systems. They could easily be unable to identify the initial point of the breach, what other areas did the attackers get access to, what the attackers did outside of stealing data. All of these points are critical for an organization to understand in order to appropriately notify effected parties, identify pathways to prevent this in the future, and providing critical evidence to law enforcement to further criminal investigations."
Trevor Morgan, product manager with comforte AG, noted why retailers make attractive targets for theft of personal information:
“Retailers are some of the most viable targets for threat actors precisely because these businesses gather, process, and house so much information about their customers. Of course, they need this information to understand their customer base and grow their retail offers (and their businesses). However, they have an obligation to keep this sensitive customer data safe and out of the hands of the wrong people, obligations that are both ethical and regulatory in nature. The outcome of not doing this is exactly what Neiman Marcus Group is now facing.
"The answer isn’t just to protect data within secured borders and behind guarded perimeters, though that is a good start. Protect the data itself as well, with data-centric security that makes sensitive information unreadable and unusable by threat actors. Data-centric methods such as tokenization can do this while also preserving data format so that business applications can work with data in a protected state. The best way to preserve reputational data in the market and keep your customers happy is to make sure you never have to inform them that their sensitive PII might be compromised!”
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, was struck by the length of time between compromise and disclosure, and he says the sort of delay seen in this case isn't uncommon:
"As is depressingly common, it’s been nearly a year and a half since the breach occurred and the notification to consumers that their personal info had been stolen. The overwhelming majority of organizations that suffer a security breach only find out when contacted by outside entities such as law enforcement or security researchers, or if the attacker proactively makes their presence known by trying to extort the victim by threatening to disclose stolen info or launch ransomware. The lack of both prevention and detection capabilities at many organizations is simply staggering. I try as much as possible to shy away from victim blaming, but in many circumstances organizations have been grossly negligent in securing customer data. Despite the press releases that almost never fail to describe the attackers or attack methods as “highly sophisticated”, the reality is that most breaches aren’t some “super cyber heist plot” out of a bad movie, but rather akin so some guy walking in the front door and wheeling out a file cabinet and no one is around to notice.
"To protect themselves and their customers, organizations must adopt a culture of security at the highest levels of leadership to ensure that they have the means and talent to properly prevent or quickly identify and respond to a cyber-attack. This includes security education for all employees, proactive security hardening for systems and applications, frequent penetration testing to validate no mistakes or overlooked problems exist, and continuous monitoring for suspicious behaviors that may be present."
If you were a customer of Neiman Marcus, or indeed of any other retailer that sustains a data breach, what can you do to protect yourself? Lookout, which provides identity protection services, offered some quick tips that have general applicability to situations of this kind:
- "Change passwords immediately. Individuals should immediately change their password and the password for any services for which they may have used the same login information.
- "Monitor accounts for fraudulent activity. In the case of financial fraud, unfamiliar charges may appear on bank or credit statements. Watch for these signs across all your financial accounts.
- "Beware of phishing letters, emails or texts. When attackers have name, contact & address information, they often use this data to trick individuals into giving over more information.
- "With data breaches occurring all the time, it’s important to have ongoing monitoring and alerts if your information becomes compromised on the dark web or you become a victim of ID theft weeks, or even months later. For added protection, you can sign up for an identity protection service...that will protect you against scams, monitor your personal information and protect you with identity theft insurance.
Data exposure incident at the Royal Gibraltar Police.
Not all data incidents occur online. Some of them are as simple as a misplaced physical list. That appears to be the case with the Royal Gibraltar Police. The Gibraltar Chronicle reports that a list containing the names of serving and retired police officers had evidently been “left behind” when a police station closed in 2018. It turned up again last year while police were searching a property in the course of an investigation into a drug offense. The list contained, in addition to names, a few birth dates and the officers' telephone numbers. It was an old list, compiled in 2013, but still not the sort of thing you'd generally want to leave around. The moral of the story is that the physical media used to store personal or sensitive information also need to be secured.