WASHINGTON — Neiman Marcus executives on Tuesday defended their actions following a data breach at the luxury retailer that impacted 1.1 million of its customers.
In testimony before the Senate Judiciary Committee, Michael R. Kingston, senior vice president and chief information officer at Neiman Marcus Group Ltd. LLC, said the company did not learn it had a “problem” with its computer system until Jan. 2, which was followed by a forensics investigation and disabling the malware.
Kingston said Neiman’s merchant processor informed it on Dec. 13 that Visa had “an unknown number of fraudulently reported credit cards with a possible common point of purchase at a small number of Neiman Marcus stores.” While Neiman’s pressed for more information, the merchant processor did not respond until four days later, when it said 122 MasterCards were fraudulently used. Kingston said that because of the malware’s sophisticated antidetection devices, the retailer did not learn from its forensic investigators that it had an “actual problem” with malware in its system until Jan. 2. It notified customers eight days later.
Kingston said current evidence in the ongoing forensic investigation has revealed that the potential customer payment card account information that was compromised by the malware came from transactions at 77 of its 85 stores between July and October. He said there is no indication that transactions on its Web sites or restaurants were compromised and that no PIN numbers were stolen because Neiman Marcus does not use PIN pads at its stores.
“The policies of payment card brands protect our customers from any liability for any unauthorized charges if the fraudulent charges are reported in a timely manner,” Kingston said in his testimony. “Nonetheless, we have now offered to any customer who shopped with us in the last year at either Neiman Marcus Group stores or Web sites — whether their card was exposed to the malware or not — one year of free credit monitoring and identity-theft insurance,” Kingston said. RELATED STORY: Washington Steps Up Data Security Focus >>
Senators grilled Target Corp. and Neiman’s executives on the data security breaches that have affected millions of consumers, probing the industry’s preparedness to prevent future attacks and legislation to establish national standards and breach notification.
Prior to the hearing, Sens. Richard Blumenthal (D., Conn.) and Ed Markey (D., Mass.) introduced legislation to help protect consumers’ personal and financial information from hackers.
Senate Judiciary Committee Chairman Patrick Leahy (D., Vt.), who has tried to advance his own data privacy legislation for years and held the hearing, said he is “alarmed by the recent data breaches at Target and Neiman Marcus and Michaels Stores.”
“The investigations into those cyber attacks are ongoing. Yet, it is already clear that these attacks have compromised the privacy and security of millions of American consumers, potentially putting one in three Americans at risk of identity theft and other cyber crimes,” Leahy said. “Public confidence is crucial to our economy. If consumers lose faith in business’ ability to protect their personal information, our economic recovery will falter.”
Target reported a breach in December that the retailer initially said affected 40 million consumers who purchased goods in stores and potentially had their debit and credit card information stolen. The retailer later said another 70 million consumers may have had personal data such as their names, addresses, e-mail addresses and phone numbers stolen.
John J. Mulligan, executive vice president and chief financial officer at Target, outlined in his testimony the timeline (from Dec. 12 to Dec. 19) and steps Target took to identify and neutralize the malware that was used in the data security breach and to the first notification to its customers.
“From the outset, our response to the breach has been focused on supporting our guests and strengthening our security,” Mulligan told the senators.
“The unfortunate reality is that we suffered a breach, and all businesses — and their customers — are facing increasingly sophisticated threats from cyber criminals,” Mulligan said
Mulligan said Target now plans to take several steps to tighten its security of consumer data, including “accelerating” its investment in chip technology for Target REDcards and stores’ point of sale terminals. “We believe that chip-enabled technologies are critical to providing enhanced protection for consumers,” Mulligan said.
He also noted that Target is investing $5 million in a campaign with the Better Business Bureau, the National Cyber Security Alliance and the National Cyber-Forensics & Training Alliance to raise public awareness about cyber security and the dangers of consumer scams.
Target has not seen any fraud on its proprietary debit and credit cards due to the breach and only a “low amount” of fraud on its Target Visa card, Mulligan said.
Sen. Dianne Feinstein (D., Calif.) said she has consistently met resistance from the business community on breach notification legislation establishing a time frame for companies to notify consumers about data security breaches.
“I believe that if somebody has an account or uses credit at your institution and their data is breached, they should be notified so they can protect themselves,” Feinstein said.
“We agree with that completely,” Target’s Mulligan said. “Our focus has been on having accurate national information balanced with providing that notice as quickly as possible.…We felt that given the scope and breadth [of the breach] that public dissemination was appropriate to let all of our guests know virtually immediately. It was on the front pages of newspapers [around the country],” Mulligan said.
But Feinstein challenged Mulligan, arguing that customers should be notified directly and individually.
As for Neiman’s, Kingston said, “Once we knew that we had criminal activity inside our systems and who the impact was, we reached out individually to our customers and in fact reached out to more customers [all customers who shopped in Neiman Marcus stores for the entire year] just to be cautious, because it is important to us that our customer understands this is our primary concern.”
Senators also pressed the retailers and other experts on the panel about implementing a more secure payment card system similar to one in Europe that embeds smart chips in payment cards and requires a separate PIN number to use.
“We have been proposing ‘Chip and Pin’ for a very long time,” Mulligan said. We are in the process of rolling it out to our stores…300 stores already have guest payment devices, and we are accelerating the $100 million investment to get those in our stores by the fourth quarter of this year, and then products we offer will have chips in them early next year.”
Kingston said Neiman Marcus does not currently use PIN pads in its stores but is willing to consider “anything that makes this process and consumer information safer, including Chip and Pin.”
“As a practical matter, it is important for the committee to understand that while the industry will be safer with that, there is a lot of work to do to make that happen,” Kingston said.
Harrods plans to remove the famous statue of Princess Diana and Dodi Al Fayed from the bottom of the Egyptian escalators and hand it back to Mohamed Al-Fayed. “We are very proud to have played our role in celebrating the lives of Diana, Princess of Wales and Dodi Al Fayed at Harrods and to have welcomed people from around the world to visit the memorial for the past 20 years,” said Michael Ward, Harrods managing director. “With the announcement of the new official memorial statue to Diana, Princess of Wales at Kensington Palace, we feel that the time is right to return this memorial to Mr. Al Fayed and for the public to be invited to pay their respects at the palace.” More on the news, with reporting by @loreleimarfil, at WWD.com. #wwdnews
@prada is introducing a new project at its men’s fall 2018 show this Sunday: “Prada Invites.” The fashion house invited four celebrated creative minds – @ronanaerwanbouroullec, Konstantin Grcic, @herzogdemeuron and @rem.koolhaas – to each create a unique item with its iconic nylon material. The designs will be unveiled on the runway show, which will take place at the company’s warehouse in Viale Ortles 25. #wwdfashion #mfwm (📷: @martinocarrera)
@kering_official is spinning off its stake in puma in an effort to focus on its luxury brands, the brand operator announced yesterday. “We are proud to have supported the turnaround of Puma, which now has unrivaled capabilities to take full advantage of the specific dynamics of its global markets and is poised to achieve substantial growth,” said François-Henri Pinault, Kering’s chief executive officer and chairman. Artémis will become a “long-term strategic shareholder” of Puma with a 29 percent stake. #wwdnews #wwdfashion (📷: @jilliansollazzo)
The fashion world mourns for celebrated street style photographer, Nabile Quenum, who died at age 32 in Paris.
Quenum, creator of the fashion blog “J’ai Perdu Ma Veste,” was a fashion week fixture, and regularly shot for New York magazine’s The Cut, among other outlets, and brands such as Louis Vuitton, Moncler and Adidas. He was also actively involved in the #NoFreePhotos initiative, which kicked off in the fall. Read more about Quenum in @kbsmoke's story on WWD.com. #wwdnews
@verwanggang and @maisonladuree have teamed up on a dessert collab called Vera Wang Pour Ladurée. The collection, which launched this week, features a specialty macaroon, as well as a wedding cake inspired by one of the designer’s gowns. “I could not imagine a more delicate or sophisticated creation to grace any couple’s celebration,” said Wang. #wwdfashion