One of them was planted even earlier than July 2013

Jan 29, 2014 15:03 GMT  ·  By

Earlier this month, high-end retailer Neiman Marcus admitted suffering a data breach in which payment card data was compromised. The company says that around 1.1 million card numbers are impacted.

In a letter sent earlier this week to the New Hampshire Attorney General’s Office, Tracy Preston, senior vice president and general counsel of the Neiman Marcus Group, revealed that two pieces of malware had been used in the attack.

The piece of malware responsible for stealing Track 1 information from cards, the “scraping malware,” was planted on the retailer’s systems in July 2013. The threat was active between July and October 2013, but not every day during this period and not at all stores.

In this timeframe, a total of 1.1 million credit cards were used at the firm’s stores.

However, Neiman Marcus has also learned that this piece of malware couldn’t have functioned without another malicious element that had made its way onto the company’s networks earlier in 2013.

“Separate, related malware that allows this scraping malware to function appears to have been clandestinely inserted earlier in 2013. Neiman Marcus was not aware of any of this hidden malware until it was discovered this month by our investigative experts,” Preston noted in her letter.

Around 2,400 payment cards used at Neiman Marcus stores have been used for fraudulent transactions. However, it’s uncertain if all the information was obtained from the high-end retailer, since the cards could have been used at other companies that were targeted by cybercriminals.

Neiman Marcus has contact information for 71% of these individuals. The firm says that it has made public statements in order to inform those for whom it doesn't have contact details.

Free credit monitoring services are being offered to all those who shopped at Neiman Marcus between January 2013 and January 22, 2014.