On Wednesday, Neiman Marcus CEO Karen Katz announced via the company's website that malware on its payment systems may have compromised 1.1 million customer card accounts.
“While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system,” Katz wrote. “It appears that the malware actively attempted to collect or ‘scrape' payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware.”
So far, around 2,400 payment cards used at Neiman Marcus have been used fraudulently as a result of the three-month long breach.
Neiman Marcus was informed in mid-December 2013 of unauthorized payment card activity linked to customer purchases in its stores.
The retailer maintains that other sensitive financial data, such as PIN numbers, was not accessed during the incident, because Neiman Marcus does not use PIN pad devices at its locations.
In an FAQ section on its site, the company says that it is still unsure how many stores were impacted, or whether both credit and debit cards were affected by the breach.