Neiman Marcus Group Ltd. said Jan. 10 that some unauthorized purchases may have been made with customer cards, the second retailer after Target Corp. to be struck by hackers during the important holiday shopping season.
Credit-card processors alerted Neiman Marcus to the breach in mid-December and the Dallas-based luxury chain is working with federal authorities and investigating the matter, Ginger Reeder, vice president of corporate communications, said in an e-mail statement. Reeder declined to elaborate.
The Wall Street Journal, citing unidentified people familiar with the incident, reported that fewer than 1 million cards were compromised.
Target, which disclosed on Dec. 19 that credit- and debit- card data of 40 million accounts was taken, said last week that names as well as home and e-mail addresses for as many as 70 million people were stolen. The company said the second theft may have affected anyone who provided basic information to the retailer over the past several years.
The two breaches complicate matters for retailers already struggling to attract balky shoppers and cutting forecasts after engaging in a margin-eating price war during the holiday season. While so far only Target and Neiman Marcus are known to have been affected, consumers will fret that other retailers also have been hacked, according to Walter Loeb, president of retail consulting firm Loeb Associates in New York.
"It gives you the feeling that credit cards are not safe anyplace," Loeb said. "People are going to be more careful about how they spend their money."
Both store and online transactions will be viewed as risky, he added. Steps must be taken to reassure customers this won't happen again, such as adding biometric technology to the cards.
U.S. retail sales rose 2.7 percent in November and December, the smallest increase since 2009, according to ShopperTrak, a Chicago-based researcher. Customer traffic in November and December declined 15 percent from the same period a year earlier, ShopperTrak said.
Target is already suffering from the hacking of its customer data. Sales at its U.S. unit were "meaningfully weaker" after the data theft was disclosed, the company said. U.S. same-store sales will fall about 2.5 percent in the quarter through January, compared with an earlier projection they would be little changed.
In the past, retailers including TJX Cos. have shrugged off the impact of data breaches after a couple of months. Now, however, such revelations go viral on the Web.
"Having been in branding for almost 20 years now, I often think these things are overstated," said Russ Meyer, a New York-based global director of strategy and insights for brand consultant Siegel & Gale. "But this may have a bigger effect because it goes to the fundamental of retailers and trust."
U.S. Lags In Data Security
The two data breaches are also a reminder that the U.S. lags behind much of the world in securing personal financial information. Many nations have moved to EMV chips embedded in payment cards that are harder to compromise than magnetic stripes are. The U.S. payments industry is in the process of moving to EMV-chip cards.
U.S retailers have been focused on detection, not prevention, and have been slow to adopt new technologies, said Anup Ghosh, chief executive officer of Invincea, a cyber-protection firm in Fairfax, Va.
He said hackers who managed to obtain Target customers' e- mails can initiate a so-called spearphishing campaign, where they send messages purporting to be from Target, tricking recipients to click on a link and expose their information or enter personal data into what they think is a company site.
Reeder, the Neiman Marcus spokeswoman, in her statement said a forensics firm discovered on Jan. 1 that the company was the victim of "a criminal cyber-intrusion." The chain, acquired last year by Ares Management LLC and the Canada Pension Plan Investment Board, has taken steps to enhance information security, according to Reeder.
