The hackers who raided the credit-card payment system of Neiman Marcus Group Ltd. set off alerts on the company’s security systems about 60,000 times as they slunk through the network, according to an internal company investigation.
The hackers moved unnoticed in the company’s computers for more than eight months, tripping hundreds of alerts daily over some of that period because their card-stealing software was deleted automatically each day from the Dallas-based retailer’s payment registers and had to be constantly reloaded. Card data was taken from July through October.
The 157-page analysis, which is dated Feb. 14, also shows that the Neiman Marcus breach is almost certainly not the work of the same hackers who stole 40 million credit card numbers from Target Corp. (TGT), said Aviv Raff, an Internet-security expert.
“The code style and the modus operandi look totally different,” said Raff, chief technology officer of Israel-based Seculert, after Bloomberg News provided him with details of the malware reviewed in the report. “The attackers were using a specific code for a specific network, and the way they were writing their code doesn’t seem to be related to the way that the attackers on the Target breach were.”
Ginger Reeder, a spokeswoman for Neiman Marcus, said the hackers were sophisticated, giving their software a name nearly identical to the company’s payment software so that any alerts would go unnoticed amid the deluge of data routinely reviewed by the company’s security team.
“These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day,” Reeder said.
The company’s investigation has found that the number of customer cards exposed during the breach was lower than the original estimate of 1.1 million. The maximum number of customer cards exposed according to the most recent estimate is less than 350,000, Reeder said. Approximately 9,200 of those have been used fraudulently since the attack, she said.
Karen Katz, Neiman Marcus’s chief executive officer, updated customers on the company’s investigation into the hack in a letter on the company’s website late Friday that offered payment-card customers one free year of credit monitoring.
The U.S. Secret Service is leading both the Target and Neiman Marcus investigations. Special Agent in Charge Edward Lowery declined to comment on whether the two were linked.
According to the report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred. Data-security requirements were tightened again this year after a rash of thefts that also included Target and Michaels Stores Inc.
New details of the cyber-attack on Neiman Marcus, which the retailer disclosed on Jan. 10, emerged in a forensic report required under security standards set by the major credit card brands. The review leaves many questions about the attack unanswered because of insufficient data. Investigators couldn’t trace how the hackers broke into the network, for example, or when the data was removed.
The company’s centralized security system, which logged activity on its network, flagged anomalous behavior of a malicious software program though it didn’t recognize the code itself as malicious or expunge it, according to the report. The system’s ability to automatically block the suspicious activity it flagged was turned off because it would have hampered maintenance, such as patching security holes, the investigators noted.
The 59,746 alerts set off by the malware indicated “suspicious behavior” and may have been interpreted as false positives associated with legitimate software. The report, prepared for the retailer by consultant Protiviti Inc., doesn’t specify why the alerts weren’t investigated.
Kathy Keller, a spokeswoman for Protiviti, didn’t immediately respond to an e-mailed request for comment.
The hackers were aided by the hub-and-spoke design of Neiman Marcus’s point-of-sales, or POS system, which connects the stores’ payment registers to a central computer that processes transactions. The arrangement allowed hackers to reload their software on multiple registers quickly after it was deleted at the end of each day.
The report also says that hackers took control of a vulnerable server that allowed them to circumvent the POS system’s security. The server connected both to the company’s secure payment system and out to the Internet via its general purpose network. New regulations distributed in November ask companies to test the security of such linkages more rigorously.
“In an ideal world, your card-data network should be completely segmented from the general-purpose network,” said Robert Sadowski, director of technology solutions at RSA Security Inc., a division of EMC Corp. “Unfortunately, an ideal world is often different than reality.”
Neiman Marcus was first notified of a potential problem on Dec. 17 by TSYS, a company that processes credit-card payments, according to the report. TSYS linked fraudulent card usage back to what’s called “a common point of purchase” -- in this case, Neiman Marcus stores.
Michael Kingston, the chief information officer for Neiman Marcus, told House lawmakers this month that the hackers began stealing card data on July 16. That’s when the memory-scraping malware began working, according to the report. The hackers had actually broken in four months earlier, on March 5, and spent the additional time scouting out the network and preparing the heist, a timeline in the report shows.
The Neiman Marcus hackers used different tools and a different strategy from the raiders at Target. Investigators use such details to establish and confirm perpetrators’ identities in the digital world -- akin to police use of fingerprints in the physical one.
The Target hackers used a protocol known as FTP, for file transfer protocol, to extract the card data, Raff said. The Neiman Marcus hackers used custom hacking software and sent the data out through a virtual private network, or VPN, Raff said, based on facts from the report.
To contact the reporters on this story: Benjamin Elgin in San Francisco at firstname.lastname@example.org; Dune Lawrence in New York at email@example.com; Michael Riley in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: John Voskuhl at email@example.com