Hackers Target Gyft, Neiman Marcus Customer Data
Cybercriminals continue to target payments providers and retailers, with Gyft and Neiman Marcus among the latest firms to announce separate data breaches. The attacks highlight two major data security issues facing financial providers and retailers: third-party security and the migration of fraud to online accounts as a result of enhanced POS security brought about by the arrival of EMV.
Late last week, San Francisco-based mobile gift card provider Gyft said that an “unknown party” accessed the systems of two of the company’s third-party cloud providers between Oct. 3 and Dec. 18, 2015. Among the data potentially exposed were names, contact information, birthdates and gift card numbers. The company found no evidence that any of the exposed data was used improperly to access Gyft accounts or make unauthorized purchases. No credit card information connected to Gyft accounts was compromised; full credit card numbers are not visible in Gyft accounts and all credit card purchases on Gyft require entering the card’s security code, which was not part of the information that may have been compromised, the company said. Shortly after discovering the issue, Gyft required users whose passwords were potentially compromised to reset their passwords and recommended that all users monitor any gift cards that were in their Gyft accounts before Jan. 8, 2016.
Meanwhile, luxury department store chain Neiman Marcus in late January notified 5,200 customers that their personal data—including contact info, purchase history and last four credit card digits—had been exposed to hackers, who gained access to the company’s Website on or about Dec. 26, using automated attacks that guessed users’ login ID and passwords. The company said it suspected the logins and passwords were accessed via breaches of other companies’ systems and subsequently used to access Neiman Marcus accounts. No Social Security numbers, birthdates, full account numbers or PINs were included in the compromised data, though 70 accounts were used to make fraudulent online purchases, Neiman Marcus said. The retailer already is dealing with the fallout from a 2013 data breach that resulted in 9,000 payment cards stored in the company’s systems being used to make fraudulent purchases. In January, a federal judge rejected Neiman Marcus’ motion to toss a class action complaint related to the 2013 breach.