RENEE MONTAGNE, HOST:
Neiman Marcus is the latest retailer to disclose it has large troves of customer information stolen. This comes after a major data breach at Target. Security experts say other prominent U.S. stores may have had credit card data hacked as well. The attacks point to growing vulnerabilities in cyber security. NPR's Yuki Noguchi reports.
YUKI NOGUCHI, BYLINE: Avivah Litan says she's hearing from sources at retailers that the data breaches last holiday season were not limited to the 70 million-plus Target customers and untold number of Neiman Marcus shoppers.
AVIVAH LITAN: It's clear that there is a new bout of attacks.
NOGUCHI: Litan is a security analyst at Gartner. She says remember the data thieves who struck several years ago at T.J. Maxx, J.C. Penney and Target?
LITAN: Well, they're back. It may be a different gang, it's not limited to Target. It's not limited to Nieman Marcus. It's per basis.
NOGUCHI: Litan blames, in large part, the magnetic payment strip system, which she says is more vulnerable than systems used by other countries around the world which have smart chips embedded in credit cards. David Burg, leader of cybersecurity at PricewaterhouseCoopers, adds that part of the problem is rapid innovation.
DAVID BURG: As we use more and more technologies to collaborate among businesses, or to connect with consumers using things like mobile devices and other kinds of applications that allow the consumer to interface with various corporations, what you have is an attack surface that keeps increasing in size and complexity, making it very hard to secure.
NOGUCHI: Burg says while there is a lot of pressure on retailers to alert consumers, regulatory and law enforcement officials quickly, often there are delays because criminals work hard to cover their tracks.
BURG: It's very hard to figure out what happened and how it happened and what the impact was.
NOGUCHI: Tom Kellermann is a managing director at Alvarez & Marsal, a professional services firm. He says the latest round of attacks indicate that even companies that invest heavily in sophisticated security systems are seeing new vulnerabilities from new sources, namely rogue hackers who are buying readily available software tools on the black market.
TOM KELLERMAN: There is a massive consulting and software-based industry that supports the shadow economy that is making it far easier for people who are not sophisticated to leverage these types of attacks.
NOGUCHI: Kellermann says organized crime syndicates, especially in Eastern Europe, not only make money selling the malware, they also then use the hackers' channels to their own ends. They prod at a company's network, often hanging out for months undetected, and then plan their attack.
KELLERMAN: These targeted attacks from someone who has investigated major breaches in the past, I am suggesting that this campaign in particular definitely went on for months.
NOGUCHI: The loss to the consumer is often time, getting reimbursement from their credit card company. But for the retailer, Kellermann says...
KELLERMAN: It is incalculable.
NOGUCHI: It costs about $200 per lost record to cover legal expenses and fines. In addition, as Target recently saw, a retailer's reputation takes a hit, and its stock can fall. Doug Johnson oversees risk management policy for the American Bankers Association and he says banks sustain losses as well. He says forensic investigations, as the FBI and Secret Service are conducting now on the Target and Neiman Marcus breaches, take a lot of time.
At the end of it, it's often difficult to prove where the data leaked, so banks often end up holding the bag.
DOUG JOHNSON: 'Cause it's going to be the financial institution that reimburses the customer for that fraud.
NOGUCHI: Target CEO Gregg Steinhafel apologized to customers on CNBC yesterday, saying Target would pay for credit monitoring, and he vowed to make things right for the consumers. Yuki Noguchi, NPR News, Washington.
MONTAGNE: You're listening to MORNING EDITION from NPR News.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.