WASHINGTON — Neiman Marcus executives on Tuesday defended their actions following a data breach at the luxury retailer that impacted 1.1 million of its customers.
In testimony before the Senate Judiciary Committee, Michael R. Kingston, senior vice president and chief information officer at Neiman Marcus Group Ltd. LLC, said the company did not learn it had a “problem” with its computer system until Jan. 2, which was followed by a forensics investigation and disabling the malware.
Kingston said Neiman’s merchant processor informed it on Dec. 13 that Visa had “an unknown number of fraudulently reported credit cards with a possible common point of purchase at a small number of Neiman Marcus stores.” While Neiman’s pressed for more information, the merchant processor did not respond until four days later, when it said 122 MasterCards were fraudulently used. Kingston said that because of the malware’s sophisticated antidetection devices, the retailer did not learn from its forensic investigators that it had an “actual problem” with malware in its system until Jan. 2. It notified customers eight days later.
Kingston said current evidence in the ongoing forensic investigation has revealed that the potential customer payment card account information that was compromised by the malware came from transactions at 77 of its 85 stores between July and October. He said there is no indication that transactions on its Web sites or restaurants were compromised and that no PIN numbers were stolen because Neiman Marcus does not use PIN pads at its stores.
“The policies of payment card brands protect our customers from any liability for any unauthorized charges if the fraudulent charges are reported in a timely manner,” Kingston said in his testimony. “Nonetheless, we have now offered to any customer who shopped with us in the last year at either Neiman Marcus Group stores or Web sites — whether their card was exposed to the malware or not — one year of free credit monitoring and identity-theft insurance,” Kingston said. RELATED STORY: Washington Steps Up Data Security Focus >>
Senators grilled Target Corp. and Neiman’s executives on the data security breaches that have affected millions of consumers, probing the industry’s preparedness to prevent future attacks and legislation to establish national standards and breach notification.
Prior to the hearing, Sens. Richard Blumenthal (D., Conn.) and Ed Markey (D., Mass.) introduced legislation to help protect consumers’ personal and financial information from hackers.
Senate Judiciary Committee Chairman Patrick Leahy (D., Vt.), who has tried to advance his own data privacy legislation for years and held the hearing, said he is “alarmed by the recent data breaches at Target and Neiman Marcus and Michaels Stores.”
“The investigations into those cyber attacks are ongoing. Yet, it is already clear that these attacks have compromised the privacy and security of millions of American consumers, potentially putting one in three Americans at risk of identity theft and other cyber crimes,” Leahy said. “Public confidence is crucial to our economy. If consumers lose faith in business’ ability to protect their personal information, our economic recovery will falter.”
Target reported a breach in December that the retailer initially said affected 40 million consumers who purchased goods in stores and potentially had their debit and credit card information stolen. The retailer later said another 70 million consumers may have had personal data such as their names, addresses, e-mail addresses and phone numbers stolen.
John J. Mulligan, executive vice president and chief financial officer at Target, outlined in his testimony the timeline (from Dec. 12 to Dec. 19) and steps Target took to identify and neutralize the malware that was used in the data security breach and to the first notification to its customers.
“From the outset, our response to the breach has been focused on supporting our guests and strengthening our security,” Mulligan told the senators.
“The unfortunate reality is that we suffered a breach, and all businesses — and their customers — are facing increasingly sophisticated threats from cyber criminals,” Mulligan said
Mulligan said Target now plans to take several steps to tighten its security of consumer data, including “accelerating” its investment in chip technology for Target REDcards and stores’ point of sale terminals. “We believe that chip-enabled technologies are critical to providing enhanced protection for consumers,” Mulligan said.
He also noted that Target is investing $5 million in a campaign with the Better Business Bureau, the National Cyber Security Alliance and the National Cyber-Forensics & Training Alliance to raise public awareness about cyber security and the dangers of consumer scams.
Target has not seen any fraud on its proprietary debit and credit cards due to the breach and only a “low amount” of fraud on its Target Visa card, Mulligan said.
Sen. Dianne Feinstein (D., Calif.) said she has consistently met resistance from the business community on breach notification legislation establishing a time frame for companies to notify consumers about data security breaches.
“I believe that if somebody has an account or uses credit at your institution and their data is breached, they should be notified so they can protect themselves,” Feinstein said.
“We agree with that completely,” Target’s Mulligan said. “Our focus has been on having accurate national information balanced with providing that notice as quickly as possible.…We felt that given the scope and breadth [of the breach] that public dissemination was appropriate to let all of our guests know virtually immediately. It was on the front pages of newspapers [around the country],” Mulligan said.
But Feinstein challenged Mulligan, arguing that customers should be notified directly and individually.
As for Neiman’s, Kingston said, “Once we knew that we had criminal activity inside our systems and who the impact was, we reached out individually to our customers and in fact reached out to more customers [all customers who shopped in Neiman Marcus stores for the entire year] just to be cautious, because it is important to us that our customer understands this is our primary concern.”
Senators also pressed the retailers and other experts on the panel about implementing a more secure payment card system similar to one in Europe that embeds smart chips in payment cards and requires a separate PIN number to use.
“We have been proposing ‘Chip and Pin’ for a very long time,” Mulligan said. We are in the process of rolling it out to our stores…300 stores already have guest payment devices, and we are accelerating the $100 million investment to get those in our stores by the fourth quarter of this year, and then products we offer will have chips in them early next year.”
Kingston said Neiman Marcus does not currently use PIN pads in its stores but is willing to consider “anything that makes this process and consumer information safer, including Chip and Pin.”
“As a practical matter, it is important for the committee to understand that while the industry will be safer with that, there is a lot of work to do to make that happen,” Kingston said.
The annual Veuve Clicquot Polo Classic in Pacific Palisades this weekend drew Kate Hudson, Tracee Ellis Ross, Laura Dern and more. See pictures of the star-studded event on WWD.com. (📷: @chelsealaurenla) #wwdeye
In his new book “Hollywood Royale,” Andy Warhol’s Protégé Matthew Rolston celebrates the Eighties revival of Hollywood glamour. Featuring more than 100 portraits taken by Rolston from 1977 to 1993, the book contains photos of icons like Michael Jackson, Cyndi Lauper, and @drewbarrymore, pictured here in 1991. “Hollywood Royale,” out today, will be accompanied by an exhibition opening at Los Angeles’ Fahey/Klein Gallery on March 1. #wwdeye
"Nowadays when life is not so happy with everything going on in the world, I think people come to me for a little bit of whimsy and color and fun." - Designer Rebecca De Ravenel on her cult-favorite jewelry line. (📸 : @vsteves) #wwd40
“Everyone is talking about how the retail industry is struggling, but I think it’s an incredible time because brands who are doing something different and innovative are setting themselves up for the future,” said @adamgoldston, who founded the luxury athletic brand @apl with his brother @ryangoldsten. The Goldston’s are part of WWD’s 40 under 40: a group of industry notables. See the rest of the list on WWD.com. (📷: @vsteves) #wwd40
@eyeswoon blogger Athena Calderone debuted her first-ever cookbook, “Cook Beautiful,” which is heavily centered on the presentation and visual expression of food. Pictured here are her miso glazed carrots from the book. Get the recipe on WWD.com. (📷: @johnny_miller_) #wwdeye
“It’s passion that helps get anybody to a certain point and it’s what’s propelled me,” said Kith founder @ronniefieg, one of WWD’s 40 under 40: a group of industry notables who are changing the face of retail, fashion and beauty. Fieg, who opened a Manhattan flagship on October 7, began his career at age 13 as a stock boy and salesman for footwear chain David Z. “I think staying true to [my] beliefs, hard work and passion have gotten me to where [Kith] is today.” See the rest of the 40 at WWD.com. (📷: @vsteves) #wwd40
25-year-old @samweaving is about to break out this fall, starring in Netflix’s horror film “The Babysitter,” fittingly out today on Friday the 13th. That’s not the only place you’ll be seeing her, though — Weaving’s got a role Showtime’s “SMILF” and another alongside Frances McDormand and Woody Harrelson in “Three Billboards Outside Ebbing, Missouri.” Though she’s got a full plate at the moment, there’s one role she’s got her eye on: Marilyn Monroe. “I’m a little too young at the moment, but it’s on my bucket list,” the actress told WWD (📷: @dandoperalski) #wwdeye
BFF's Poppy Jamie and Suki Waterhouse celebrated the launch of their bag line Pop x Suki at Nordstrom last night. "The line is really about our friendship, and how we are so different but complement each other," said Waterhouse. 👯 (📷: Katie Jones) #wwdeye
After designing the new @louisvuitton and @bulgariofficial flagships and a @chanelofficial boutique opening in Japan, @petermarinoarchitect has another project on his plate: The Lobster Club. Located in the Seagram Building, it’s the famed architect’s first restaurant project in New York, serving up modern Japanese brasserie-style cuisine. Bronze hues, bespoke material detailing, blush and chartreuse tones and a heavy emphasis on Picasso can be seen throughout. Mark your calendars for Nov. 1 for the much-anticipated opening. (📷: @clint_spaulding) #wwdeye