Neiman Marcus said over the weekend that cards of some customers had been used fraudulently, but provided little additional information.
The announcement follows a breach at Target that could become the largest in U.S. retail history. The discount retailer acknowledged Friday that up to 110 million customers were affected.
“Clearly we are accountable and we are responsible—but we are going to come out at the end of this a better company and we are going to make significant changes,” Target CEO Gregg Steinhafel said in an interview with CNBC.
In addition to the 40 million customers of the chain’s U.S. stores whose credit and debit card data was stolen during the busy holiday shopping season, hackers lifted personal information — including names, addresses, e-mail addresses and phone numbers — for 70 million customers.
There may be some overlap between the two groups, but Target couldn’t say how many were counted twice.
Among those 70 million people might be customers who haven’t shopped at Target recently, but whose information was stored in company databases. It was unclear if online shoppers were affected by the personal information breach, and spokeswoman Molly Snyder said only that the information was collected and stored “during the normal course of business.”
Neiman Marcus said Saturday it, too, was “the victim of a criminal cyber-security intrusion” involving customers’ credit cards.
The luxury retailer said in an online post that it was notifying “customers whose cards we know were used fraudulently after purchasing at our stores.” Neiman Marcus spokeswoman Ginger Reeder said she could not say how many customers were affected or notified.
The breaches raised questions about whether other retailers had also been targeted. The news agency Reuters, citing unnamed sources and without naming stores, reported that at least three other retailers in the U.S. had suffered breaches with tactics similar to those used at Target.
That wouldn’t surprise Daniel Ingevaldson, chief technology officer at Easy Solutions. He said, based on his experience, breaches happen often but “they’re not being noticed.”
A spokesman for the Secret Service, which is investigating the Target breach, had no comment on whether the agency was investigating breaches at other retailers. Officials at the Justice Department did not immediately return requests for comment. Several major retailers — including CVS Caremark, KMart, Macy’s, Sears, Walgreens, and Wal-Mart — told CNNMoney on Monday they had observed no breaches and continued to monitor their systems.
Credit card numbers enter the black market: The impact of the breaches on customers, their banks and the retailers is not yet known.
But millions of stolen credit card numbers have recently turned up on the black market, according to Ingevaldson.
Easy Solutions works with financial services firms and retailers on fraud, and monitors black markets where credit card data is fraudulently sold. The company is not working for Target or Neiman Marcus investigating their breaches, Ingevaldson said.
Many online forums that trade in this data are based in Eastern Europe, though it “really it doesn’t matter where these forums are,” he said, because the black market for stolen information is global.
Customers are not liable for unauthorized purchases made on their cards, although in some cases the process to dispute such charges can be burdensome and lengthy.
Experts recommend customers be proactive: Check bank statements regularly, especially for small charges — a few pennies, perhaps — that may represent a thief checking to see if the account is still active.
Anyone who believes they may have been caught up in the hack can also call the retailer directly. Target set up a hotline for customers at 866-852-8680 and a website. Consumers should be wary of phone calls, e-mails and letters offering assistance.
What is known about Neiman Marcus and Target breaches: Neiman Marcus, which operates upscale clothing and home goods stores in nearly two dozen states, has not said yet whether the hack affected in-store shoppers or online shoppers, how hackers gained access to the information, and when they first gained access.
The company said it was notified of a possible hack in mid-December, and a forensics firm confirmed the issue on Jan. 1.
Target acknowledged a breach of its systems in mid-December. An investigation into the hacking of credit and debit card numbers revealed that encrypted PIN numbers for debit cards had been stolen. It also turned up the additional breach involving data such as customer names and phone numbers. The retailer said it was notifying as many customers as it could, and would provide free credit monitoring and identity theft protection.
Dozens of lawsuits seeking class-action status were filed against Target in the days after it announced the breach last month. Target is behind Wal-Mart as the nation’s No. 2 general merchandise retailer. It said that sales dipped as much as 6% after it first revealed publicly that it had been hacked.