OFFICIALS LEGISLATION INTEREST GROUPS PUBLIC STATEMENTS COMMITTEES VETOES

Letter to Neiman Marcus Group President Karen Katz - Documents on Neiman Marcus Data Breach

Letter

Date: Jan. 29, 2014
Location: Washington, DC
Issues: Technology and Communication Criminal Justice

Today Energy and Commerce Committee Ranking Member Henry A. Waxman and Commerce, Manufacturing, and Trade Subcommittee Ranking Member Jan Schakowsky sent a letter to Neiman Marcus Group President and Chief Executive Officer Karen Katz requesting information and documents on the recent cybersecurity breach affecting Neiman Marcus customers. The members seek to understand how the attack occurred, who was responsible, whether it could have been prevented, how Neiman Marcus responded, and how retailers and customers can protect themselves from future attacks.

Neiman Marcus officials have been invited to testify before the Energy and Commerce Committee on data breaches during the week of February 3, 2014.

The full text of the letter is available below.

January 29, 2014

Ms. Karen Katz
President and Chief Executive Officer
Neiman Marcus Group
One Marcus Square
1618 Main Street
Dallas, TX 75201

Dear Ms. Katz:

On January 10, 2014, Neiman Marcus announced that payment card information had been compromised in an apparent cybersecurity breach. According to Neiman Marcus, the company was informed in mid-December "of potentially unauthorized payment card activity that occurred following customer purchases."

The Committee will be holding a hearing on this breach and the overall impact of data breaches on consumers during the first week of February. We are writing to seek information needed by the Committee prior to the hearing in order to improve our understanding of the causes and impacts of the data breach affecting Neiman Marcus customers. We understand that Neiman Marcus has been invited to testify before the Committee at the hearing. We hope that Neiman Marcus will choose to testify.

While the immediate concerns relate to securing customer information and preventing fraudulent charges, there are many unanswered questions about this cyberattack and its implications for consumer privacy and data security. Questions remain about how exactly this attack was carried out, who was responsible, whether it could have been prevented, how Neiman Marcus responded, and how retailers and customers can protect themselves going forward.

One question we have is whether attacks against multiple retailers during the holiday shopping season, including Neiman Marcus, Target, and possibly Michaels Stores, were related. In addition, we have questions about why the breach took so long to discover. According to the New York Times, hackers penetrated Neiman Marcus' networks "as far back as July," yet the company failed to discover an intrusion until mid-December.

Press reports have also raised questions about the timing and adequacy of disclosure of the breach. In a January 22, 2014, briefing with Democratic staff, Neiman Marcus representatives informed staff that the company's outside forensics team confirmed an intrusion on January 1, 2014. Yet the company waited until January 10, 2014, to inform customers, after it was reported by an independent investigative reporter. While 2,400 customers were notified of confirmed fraudulent charges on January 10, 2014, Neiman Marcus waited another 12 days to notify a broader pool of customers potentially affected.

In order that we may fully understand prior to our Committee hearing how this theft of confidential customer information occurred, we ask that you please provide the following information and documents no later than February 3, 2014:

1. All written policies or guidelines relating to threat monitoring, network security, or point-of-sale system protection, including any strategies to protect against threats posed by memory-parsing malware, from January 1, 2012, to the present.

2. All documentation, pertaining to fiscal years 2013 and 2014, detailing the funds spent and persons employed on the network security of systems serving Neiman Marcus stores. Please indicate whether or not additional funds were spent or additional network security personnel hired to protect the integrity of systems serving Neiman Marcus stores during the holiday season. Please provide comparable documentation for individual fiscal year data for fiscal years 2007-2012.

3. All email correspondence, analyses, reports, or any other communications relating to memory-parsing malware or to point-of-sale system security or any other information security systems implicated in this breach for Neiman Marcus officials from January 1, 2012, to the present. Please detail whether Neiman Marcus was previously aware of any potential vulnerabilities to its point-of-sale systems or any other systems implicated in this breach. Please detail whether there are known purchase trends for the fraudulent charges as a result of this breach. Please detail the current understanding of how the attack was carried out and detail the attack vector used. Please also detail the scope of Neiman Marcus' end-to-end encryption, whether there were any gaps in the encryption process that facilitated the data theft, and whether the stolen data was in fact encrypted. Please include all documents, including email correspondence for Neiman Marcus officials from January 1, 2013, to the present, relating to Visa's April and August 2013 alerts regarding memory-parsing malware.

4. All documents relating to Neiman Marcus' response and public notification activities relating to the breach, including any formalized breach readiness plan. Please provide a detailed written timeline of when Neiman Marcus was notified of the attacks, and of the company's response and public notification activities from December 1, 2013, to the present. Please detail when, how, and by whom Neiman Marcus was first made aware of a potential security breach. Please also detail why Neiman Marcus waited until January 10, 2014, to notify customers of the breach, and why initial notification was limited to 2,400 customers rather than the broader potentially affected pool of three million customers.

We understand that much of this information is sensitive in nature and that Neiman Marcus and law enforcement officials are conducting ongoing investigations of the breach. The Committee has a long history of working with confidential and classified material in a sensitive manner, and we are happy to work with you and your staff to ensure that this is the case in this investigation.

Sincerely,

Henry A. Waxman
Ranking Member

Jan Schakowsky
Ranking Member
Subcommittee on Commerce, Manufacturing, and Trade


Source
arrow_upward