Target, Neiman Marcus face data breaches. Now, others?

Data breaches compromised the financial information of millions of shoppers at Target and Neiman Marcus over the holidays, and more might be coming to light soon. How much should shoppers worry?  

John Gress/Reuters/File
A shopper enters a Neiman Marcus store in Oak Brook, Ill. Neiman Marcus and Target faced major data breaches over the holidays.

It’s shaping up to be a nightmarish holiday shopping season for US retailers. First, Target fell victim to a data breach that compromised between 70 million and 110 million shoppers’ financial information (including credit card numbers, PIN numbers, and e-mail and mailing addresses). Last week, high-end department store Neiman Marcus disclosed its own cyberattack, which put the information of up to 40 million shoppers at risk.

More may be on the way. Reuters reported Sunday that at least three other well-known US retailers faced data breaches during the holidays, citing information from unnamed sources.

“The sources said that they involved retailers with outlets in malls, but declined to elaborate. They also said that while they suspect the perpetrators may be the same as those who launched the Target attack, they cannot be sure because they are still trying to find the culprits behind all of the security breaches,” the Reuters report reads. “Law enforcement sources have said they suspect the ring leaders are from Eastern Europe, which is where most big cybercrime cases have been hatched over the past decade.”

The report didn’t say whether the Neiman Marcus breach was related to the others.

The Target cyber break-in affected customers who shopped in-store and online between Nov. 27 and Dec. 15, in the thick of the holiday season. Though Target initially said about 40 million shoppers were affected, the retailer revealed last week that the hackers stole between 70 million and 110 million shoppers’ credit card numbers, PIN numbers, e-mail and mailing addresses, and phone numbers. Target also came under fire for waiting four days to disclose the breach publicly. 

Target chairman and CEO Gregg Steinhafel defended that decision in an interview on CNBC Monday, saying that the company "wanted to make sure our stores and our calls centers could be as prepared as possible," and that employees "worked around the clock to try and do the right thing.” He reiterated that because the matter is still under federal investigation, Target “can only share so much.”

Neiman Marcus’s investigation is also ongoing. "We informed federal law enforcement agencies and are working actively with the US Secret Service; the payment brands; our merchant processor; a leading investigations, intelligence, and risk management firm; and a leading forensics firm to investigate the situation," the company’s official statement reads.

Both Target and Neiman Marcus pointed to malware that was installed on “point of sale” registers as the problem, which Reuters also cited in the report of other targeted stores. Visa warned of similar attempted attacks on its system early last year, but the latest rounds are much more sophisticated, according to TechCrunch.

The good news? Such attacks are less damaging to consumers than they are to retailers. Yes, there’s the hassle of canceling credit cards, changing e-mail passwords, and extra-careful monitoring of bank statements. But credit card companies will pay for any fraudulent charges, and then recover the money by charging the retailer. That means Target stands to take a big hit: as much as $50 million, according to CNN Money. The retailer also announced last week it would offer free credit monitoring and identity-theft protection for worried customers.

The biggest risk, experts say, is that potential scammers could have customers’ contact information and the knowledge that they shop at Target. But that on its own isn’t enough for identity theft. "It's bad they got a customer list, but the worst case scenario is a very targeted email phishing campaign," said Adrian Sanabria, a security analyst, told CNN Money. "I don't see any risk of identity theft from having that exposed."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.