Hadley Malcolm and Beth Belton, USA TODAY
Target and Neiman Marcus may not be the only U.S. retailers whose networks were breached during the holiday shopping season last year, according to a Reuters news service story posted online early Sunday.
The Reuters story and other cybersecurity websites cite sources familiar with attacks on other merchants that have yet to be publicly disclosed.
At least three other well-known U.S. retailers were hit with smaller breaches than the massive one that hit Target, using similar techniques, the Reuters story says.
No group has yet claimed responsibility for the attacks, and the Reuters story cites unnamed law enforcement sources as saying they suspect the ringleaders of the attacks are from Eastern Europe, which is where many big cybercrimes have originated the past few years.
On Saturday, Neiman Marcus publicly confirmed it had been attacked in late December and that personal data attached to credit cards had been stolen from up to 1 million customers who shopped at some of its 40 locations nationwide.
On Friday, Target revealed that up to 110 million shoppers' data may have been breached in the attack that it first disclosed on Dec. 19. It set up a dedicated customer service line to handle inquiries about the attack and is offering free credit-monitoring services to all customers.
Most states have laws that require companies to contact law enforcement agencies and customers when certain personal information is compromised. There may be a delay in notifying the public, though, if law enforcement feels it will interfere with the investigation, says Tony Anscombe, a spokesman on security for AVG Technologies, a company that provides virus protection and privacy software.
No other retailers have yet come forward to say they were involved in security breaches in recent weeks. Smaller security hacks may happen year-round but not garner headlines, Anscombe says. The attack on Target during the crucial holiday season has likely brought increased attention and interest in cybersecurity threats.
"Smaller companies probably have similar issues, but it's not a newsworthy story," Anscombe says.