Malware Lurked for Months Inside Neiman

Credit-Card Stealing Software Worked From July 16 to Oct. 30.

The software behind the attack at Neiman Marcus Group lurked in the luxury retailer’s payment system undetected for months, scraping data from as many as 1.1 million accounts and ending its mission before it was discovered.

The software was clandestinely inserted into the system and worked from July 16 to Oct. 30. Software to help the program work was slipped in even earlier.

Neiman didn’t even know the software was there until Jan. 1.

The details of the breach were outlined in a letter sent to Sen. Richard Blumenthal (D., Conn.) on Jan. 22 from Michael Kingston, Neiman’s chief information officer, a copy of which was reviewed by The Wall Street Journal.

All this happened in private as news of a massive breach at Target Corp. was exploding in the media.

Neiman was warned by credit-card companies it might have a problem as early as mid-December and contacted federal law enforcement officials before Christmas, but didn’t report the problem to its customers until Jan. 10, after security blogger Brian Krebs pressed the company for details.

Ginger Reeder, a Neiman spokeswoman, said the company didn’t want to alarm customers until it had a better sense of what was going on. “To do otherwise, would have caused our customers to panic, and we were trying to avoid that,” she said.

More From The Wall Street Journal (subscription required):