In latest US retail data breach, hackers steal info from Neiman Marcus


I’m fully expecting a more rapid arrest in this case.

…of a 14 year old kid in Hackensack who first reported the security hole in early 2012 and wrote a simple script to prove there was an exploitable hole but never stole anything and really just likes Fritos and Xbox with his friends.


Finally, the perfect revenge for misrepresenting the price of a cookie recipe as $2.50, when in fact it was $250!



I have been trying to do IT Security for years. In the security field we have a lot of problems. The recent Target and Neiman-Marcus breaches are symptoms of security’s problems. I tried to enumerate some of these problems in a presentation to SaintCon2013: The problems include:

  • Many of our institutional leaders avocate fake security instead of real security.
  • We love secrecy, but secrecy is not security. Some secrecy is justified, but usually the bigger the community, the more damaging the secrecy. Secrecy does not enhance meaningful community security. Secrecy blinds security. Secrecy blinds the community. Secrecy isolates security from it's community. Secrecy favors the illegal over the legal, the private agenda over the public agenda, the attacker over the community.
  • We love attack, but attack is not security. The skills required to effectively defend are very different from the skills learned by attack. Attack can inform defense, but that is the limit of it's contribution. You have to refine new skills to maintain an effective defense. Attack focuses on short term objectives. When immersed in the dance of attack and react, you lose sight of your long term objectives. If you base your defense on attack, you doom yourself to a lonely battle against insurmountable odds.
  • Our biggest problem is we are not taught how to do security. We are taught attack. But attack is not security. We are taught checklists, but checklists are not security.

Effective Security and Defense comes from the Future.

Security is a meaningful assurance that your goals are being accomplished.

  • The details are transitory. But, without goals, security has no point.
  • Sticking to your goals when attacked is the heart of defense. Ultimately, it is the only thing that matters in security.
  • Your organization adds value by sticking to it's goals. But this is more than just a matter of value added. Goals are the spirit of the organization.
  • If you don't stick to your goals when attacked, then you have lost. The attacker may not have won, but you have lost.
  • We begin to create security when we teach Security folks how to support institutional goals.
The beginning of effective defense is to create community.
  • Attack can be sharp and pointy. Defense must be deep and broad. The more people involved in Defense, the better. They must agree on purpose. They must be a community.
  • Then the community must agree on it's most important goals.
  • You have to write the goals down. Review them.
  • The Community must be aware of it's priorities.

Without this, you have no idea who or what to defend.

The first and most important duties of security is to engage and motivate the community. Your first community will be your technical folks. But you must expand beyond them.

The second critical duty of security is to create, prioritize and maintain clearly articulated and agreed on community goals.

The third critical duty of security is to defend the goals against substitution, dilution or distraction. Only here at the 3rd layer do you begin to consider the lessons learned from attack.

Security is most commonly attacked when somebody convinces you to adopt goals that are not in your best interests. Being able to break security on demand is the holy grail of modern marketing.

Security IS possible. Effective Defense is possible. But you need to focus, plan, and prepare. Your actions must advance your goals. You must exist in the future. You can’t just react.


Huh; and here I thought Neiman-Marcus customers only paid in anonymous gold-pressed latinum.


For example, the way the US has remained committed to the values of the Constitution in the face of something bad that happened about 12 years ago.

Imagine if we had become an authoritarian state that treats its own people as the enemy. What a victory that would have been for terrorism.


Until about a year ago, that was true. Well, latinum and American Express. One wonders how many customers they have at this point who ever used an non-AE credit card.

Me. I bought my wife a bottle of Tom Ford perfume there this year (and last year) with my debit card…
Nice to know that we may have been swept up into TWO retail hacks in the same year. One more and a hat trick.

Don’t feel bad. My insurance company kept social security numbers and all demographic information on an unencrypted laptop which was stolen. Credit freeze all around. How much can you actually give a shit if you don’t even bother to encrypt?

As I understand it, their chief security officer was just filmed eating a really large steak in something like thirty seconds…

1 Like

I am actually a NM shopper - I shop their clearance section women’s clothes. Every now and then I pick up something frickin’ amazing. I don’t buy normal clothes there, but I do own some real show stopper jackets, sweaters, and a swanky looking formal suit that didn’t cost me all that much more than what I’d pay at Macy’s. Their selection is killer and it’s great to browse their site to see what the trends are.

A jacket I own - you won’t find this at Marshall’s or Penny’s:

Anyway, pretty sure the debit card they have on file for me was already replaced when I got scammed on that Long Island railroad camera stunt on my way to Comic Con, so I’m not sweating it.

As far as security goes,I don’t get too hung up on whether a company loses my data or not; I assume my credit card numbers are all over the web anyway. I monitor my cards religiously for scammy purchases. That’s my defense. Fortunately my bank is very good at working with me on problem purchases.

This topic was automatically closed after 5 days. New replies are no longer allowed.