The hackers who raided the credit-card payment system of Neiman Marcus Group set off alerts on the company’s security systems about 60,000 times as they slunk through the network, according to an internal company investigation.
The hackers moved unnoticed in the company’s computers for more than eight months, sometimes tripping hundreds of alerts daily because their card-stealing software was deleted automatically each day from the Dallas-based retailer’s payment registers and had to be constantly reloaded. Card data were taken from July through October.
The 157-page analysis, which is dated Feb. 14, also shows that the Neiman Marcus breach is almost certainly not the work of the same hackers who stole 40 million credit card numbers from Target (TGT), said Aviv Raff, an Internet-security expert.
“The code style and the modus operandi look totally different,” said Raff, chief technology officer of Israel-based Seculert, after Bloomberg News provided him with details of the malware reviewed in the report. “The attackers were using a specific code for a specific network, and the way they were writing their code doesn’t seem to be related to the way that the attackers on the Target breach were.”
Ginger Reeder, a spokeswoman for Neiman Marcus, says the hackers were sophisticated, giving their software a name nearly identical to the company’s payment software, so any alerts would go unnoticed amid the deluge of data routinely reviewed by the company’s security team.
“These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day,” Reeder says.
The company’s investigation has found that the number of customer cards exposed during the breach was lower than the original estimate of 1.1 million. The maximum number of customer cards exposed, according to the most recent estimate, is less than 350,000, Reeder says. Approximately 9,200 of those have been used fraudulently since the attack, she says.
The U.S. Secret Service is leading both the Target and Neiman Marcus investigations. Special Agent in Charge Edward Lowery declined to comment on whether the two were linked.
According to the report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred. Data-security requirements were tightened again this year after a rash of thefts that also included Target and Michaels Stores (MIK).
New details of the cyberattack on Neiman Marcus, which the retailer disclosed on Jan. 10, emerged in a forensic report required under security standards set by the major credit-card brands. The review leaves many questions about the attack unanswered because the data are insufficient. Investigators couldn’t trace how the hackers broke into the network, for example, or when the data were removed.
The company’s centralized security system, which logged activity on its network, flagged the anomalous behavior of a malicious software program—although it didn’t recognize the code itself as malicious, or expunge it, according to the report. The system’s ability to automatically block the suspicious activity it flagged was turned off because it would have hampered maintenance, such as patching security holes, the investigators noted.
The 59,746 alerts set off by the malware indicated “suspicious behavior” and may have been interpreted as false positives associated with legitimate software. The report, prepared for the retailer by consultancy Protiviti, doesn’t specify why the alerts weren’t investigated.
Kathy Keller, a spokeswoman for Protiviti, didn’t immediately respond to an e-mailed request for comment.
The hackers were aided by the hub-and-spoke design of Neiman Marcus’s point-of-sales, or POS system, which connects the stores’ payment registers to a central computer that processes transactions. The arrangement allowed hackers to reload their software on multiple registers quickly after it was deleted at the end of each day.
The report also says that hackers took control of a vulnerable server that allowed them to circumvent the POS system’s security. The server connected both to the company’s secure payment system and out to the Internet via its general purpose network. New regulations distributed in November ask companies to test the security of such linkages more rigorously.
“In an ideal world, your card-data network should be completely segmented from the general-purpose network,” said Robert Sadowski, director of technology solutions at RSA Security, a division of EMC (EMC). “Unfortunately, an ideal world is often different than reality.”
Neiman Marcus was first notified of a potential problem on Dec. 17 by TSYS (TSS), a company that processes credit-card payments, according to the report. TSYS linked fraudulent card usage back to what’s called “a common point of purchase”—in this case, Neiman Marcus stores.
Michael Kingston, chief information officer for Neiman Marcus, told House lawmakers this month that the hackers began stealing card data on July 16. That’s when the memory-scraping malware began working, according to the report. The hackers had actually broken in four months earlier, on March 5, and spent the additional time scouting out the network and preparing the heist, a timeline in the report shows.
The Neiman Marcus hackers used different tools and a different strategy from the raiders at Target. Investigators use such details to establish and confirm perpetrators’ identities in the digital world—akin to police use of fingerprints in the physical one.
The Target hackers used a protocol known as FTP, for file transfer protocol, to extract the card data, Raff said. The Neiman Marcus hackers used custom hacking software and sent the data out through a virtual private network, or VPN, Raff said, based on facts from the report.