Neiman Marcus Group Ltd. said yesterday that some unauthorized purchases may have been made with customer cards, the second retailer after Target Corp. to be struck by hackers during the important holiday season.
Credit-card processors alerted Neiman Marcus to the breach in mid-December and the Dallas-based luxury chain is working with federal authorities and investigating the matter, Ginger Reeder, vice president of corporate communications, said yesterday in an e-mail statement. Reeder declined today to elaborate. The Wall Street Journal, citing unidentified people familiar with the incident, said fewer than 1 million cards were compromised.
Target, which disclosed on Dec. 19 that credit- and debit-card data of 40 million accounts was taken, said yesterday that names as well as home and e-mail addresses for as many as 70 million people were stolen. The company said the second theft may have affected anyone who provided basic information to the retailer over the past several years.
The two breaches complicate matters for retailers already struggling to attract balky shoppers and cutting forecasts after engaging in a margin-eating price war during the holiday shopping season. While so far only Target and Neiman Marcus are known to have been affected, consumers will fret that other retailers also have been hacked, said Walter Loeb, president of retail consulting firm Loeb Associates in New York.
“It gives you the feeling that credit cards are not safe anyplace,” Loeb said in a phone interview today. “People are going to be more careful about how they spend their money.”
Both store and online transactions will be viewed as risky, he said.
Steps must be taken to reassure customers this won’t happen again, such as adding biometric technology to the cards.
U.S. retail sales rose 2.7 percent in November and December, the smallest increase since 2009, according to ShopperTrak, a Chicago-based researcher. Customer traffic in November and December declined 15 percent from the same period a year earlier, ShopperTrak said.
This week, retailers from home-goods merchant Pier One Imports Inc. to discounter Family Dollar Stores Inc. and luxury lingerie seller L Brands Inc. all cut their forecasts after reporting disappointing December sales as promotions hurt margins. Macy’s Inc., which has done a better job than rivals of putting enticing merchandise in its stores, was one exception, forecasting earnings for its next fiscal year that was higher than analysts’ estimated.
Target is already suffering from the hacking of its customer data. Sales at its U.S. unit were “meaningfully weaker” after the data theft was disclosed, the company said. U.S. same-store sales will fall about 2.5 percent in the quarter through January, compared with an earlier projection they would be little changed. Adjusted earnings per share will be $1.20 to $1.30 for the division, down from a previous estimate of at least $1.50.
In the past, retailers including TJX Cos. have shrugged off the impact of data breaches after a couple of months. Now, however, such revelations go viral on the Web.
“Having been in branding for almost 20 years now, I often think these things are overstated,” said Russ Meyer, a New York-based global director of strategy and insights for brand consultant Siegel & Gale. “But this may have a bigger effect because it goes to the fundamental of retailers and trust.”
The two data breaches are also a reminder that the U.S. lags behind much of the world in securing personal financial information. Many nations have done away with the magnetic strips still used in the U.S. and moved to chips embedded in the cards that are harder to compromise. The U.S. payments industry has said it will replace magnetic strips by 2020.
U.S retailers have been focused on detection, not prevention, and have been slow to adopt new technologies, Anup Ghosh, chief executive officer of Invincea, a cyber-protection firm in Fairfax, Virginia, said in a telephone interview.
He said hackers who managed to obtain Target customers’ e-mails can initiate a so-called spearphishing campaign, where they send messages purporting to be from Target, tricking recipients to click on a link and expose their information or enter personal data into what they think is a company site.
Reeder, the Neiman Marcus spokeswoman, in her statement yesterday, said a forensics firm discovered on Jan. 1 that the company was the victim of “a criminal cyber-intrusion.” The chain, acquired last year by Ares Management LLC and the Canada Pension Plan Investment Board, has taken steps to enhance information security, she said.