Happy Cyber Security Awareness Month.
Thought I would read this breech report through the eyes of a consumer. I don’t shop at Neiman Marcus but I thought it would be interesting. Hope you enjoy my gruff disgruntled consumer impression.
Today in health, it, we try to channel a customer in reading about the 3.1 million. Neiman Marcus customer card details that have been breached. It is national cybersecurity awareness month. Thought it would be interesting to cover this story. My name is bill Russell. I'm a former CIO for a 16 hospital system. And creator this week in health. It. A channel dedicated to keeping health it staff current and engaged. Serious health care is a partner of this week in health. It, they reached out to me last year and we decided to partner. Because they believe in our mission to develop the next generation of health leaders and they have been a phenomenal partner. And I love working with them. If you believe in our mission and want to support our show, please shoot me a note at partner at this week in health. It. Dot com. All right, here's the story. And again, I'm going to channel. A consumer, who's reading this story and it's going to sound kind of gruff, but I think this is how consumers read these stories. First of all, they are getting a little bit, I don't know, numb to these kinds of stories because there's so many of them, but regardless, I'm going to read this. And what I want you to do is imagine your health system had a breach. And this is how the consumer's reading it. All right. 3.1 million Neiman Marcus customer card details were breached. Dallas-based Neiman Marcus group is known worldwide as the go-to luxury brand. And retailer for the well-healed. Evidently, which is a term that, which means wealthy. Or people willing to pay more than what the goods are worth. But their reputation for impeccable quality just took a big hit with the revelation that the company was breached. By an attacker back in may of 2020. But that's not the bad news. Here comes the bad news. It took 17 months. For the retailer to notice that's right. They were breached. And it took them 17 months to notice. And I'm reading that as a consumer going. Are you kidding me? Gosh. I wonder if my other information that's online. Is this unprotected. That there. Whole it infrastructure, their security framework doesn't have any detection. That could see that this was going on for 17 months. I, it just horrifies me. And now I start to wonder about the rest of my accounts. Counts that are out there. 17 months. Anyway, just this week, demon Marcus acknowledged the compromise, which included personal customer information. Like names, contact information, payment card information. Without the codes, gift card numbers, without pens, username, password, and even security questions associated with online Neiman Marcus. Calves. All right. So now I start to think, which of those things am I most worried about? I'm really worried about my username and passwords, depending on how good I am at this. I know that I have some 200 some odd accounts out there. And I know that sounds like a lot, but if you had a. A password system. Like I do, you would know exactly how many you have out there so that you can turn off the ones that you're not using. And you can go back and update the security as needed, but. Think about that username and password. So they, now, they now know my username and passwords. And if I'm using that in multiple places, like say for a bank. Or for, I don't know, Amazon or whatever else. They can have access to some other systems which hopefully have better security. That Neiman Marcus had. So that's one of the things that concerns me. This security questions concerns me. Although, not a lot of my. Really high security type of stuff. Uses security questions. Any more if I really thought about it. So again, not as big a deal, like what is your dog's name or what road did you live on growing up? I don't like the fact that those questions are out there in the wild, because it's just more personal information that was given away. So I'm as a consumer, again, I'm worried about those two aspects of it, but it doesn't make me feel any better about the fact that they have my gift cards and my credit card information. It goes on in total Neiman Marcus, which also controls a bunch of other brands. I said 3.1 million cards were affected, but more than 85% of those had already expired, said a company spokesman. And I think, I can't believe what you're saying to me is a don't worry. Most of these cards are already expired. 15% of them aren't. And I don't know if mine is in the 85% or the 15%, but regardless, it's almost like you're saying, Hey, it's not a big deal because most of this stuff wasn't You know, information that they can use, except they have my username and passwords and my security questions, which is what I was really more concerned about than the credit cards. Anyway. Neiman Marcus is working with law enforcement. And cybersecurity company mandate to get more information about the retailer's compromise. And I wonder after 17 months. Are they going to be able to get any information? And the answer to that is probably not. And announced weekend as an it professional. It's been so long. That probably any remnants of the breach itself, where they came in, how they access things. I'm sure they will find some. Items in there that could help. But at the end of the day, that's an awful long time that's like letting someone come in, steal your stuff and giving them a 17 month headstart to sell the stuff and hide. And it's just got a silly and Neiman Marcus group, our customers, our top priority said the CEO. And you can understand as I'm reading this, how disingenuous that feels to me as a customer. Hearing that, Hey, you lost my information. You didn't spend the money to protect it. You didn't even know they were in your system for 17 months. And now you're telling me I'm your top priority. if this is how you treat someone who is your top priority, I can't imagine what your lower priority things. Get in terms of attention. So again, it comes off as disingenuous. You have to be real careful of the wording that you use in the communication to your customers and not be too fluffy because There should be an apology here and it's. It's more of a statement like, Hey, Neiman Marcus. We're great. You are a top priority. You are number one thing. And in reality, the whole story is about how you failed me and failed me miserably. Anyway, it goes on. Security experts say it's too late for Neiman Marcus to protect its customers. And that the delay in detection of the unauthorized access makes the situation more dire. And again, I'm reading what experts are saying, and they're telling me how I feel. Already, which is, I can't believe it took them this long to it to let me know about this. The breach occurred before Neiman Marcus filed bankruptcy. Again more excuses as to why it happened. I don't really care about the excuses. I just want to know that it happened when it happens. From a security perspective, it's very dangerous for a company to go this long, without detecting and responding to a breach, more damage could have been done. That has yet to be discovered. And that's my concern. They don't really know if it took them 17 months. They don't really have the systems in place to detect or respond to breach. And now they want me to go in and change my password and update my information. I'm not going to do that. If I'm a customer, first of all, as. As somebody who just went through this. I'm not going to do that. He said it's likely attacked her sold off the access. To the Neiman Marcus group systems to someone else for later abuse. And we've talked about that with Drexel Ford, that these groups do have specialties, some gain access. And then sell that access to others who are good at actual trading data and then selling that data and getting the most money for that data. And so you have different groups operating in their area of expertise. They have specialized in attacking organizations. All right. Let's see. Chris Clemons, VP of solution architect of service Sentinel was blunter about Neiman Marcus security, blender. The lack of both prevention and detection capabilities that many organizations. Is simply staggering Clemmons said. And now I start to wonder about my other systems that are out there. I try as much as possible to shy away from victim blaming, but in many circumstances, organizations. I have been grossly negligent in securing customer data. Clements added that in many breaches, it's very easy for an attacker to get their hands on customer data. Despite the press releases that almost never failed to describe the attacker or the attack methods as highly sophisticated. The reality is that most breaches aren't some super cyber heist plot out of a bad movie. But rather akin to some guy walking in the front door and wheeling out. And you file cabinet and no one is around to notice. When you read a story like this, it does make you question it in general. It definitely makes you question Neiman Marcus and companies like that. But it also makes me wonder about the rest of my online accounts and how well they are protected and on the start of national cybersecurity awareness month, it makes sense to. Have that kind of thinking. What can I do to prevent this kind of thing? And it really, as again, this is my last comment as a consumer. But it makes me wonder how much control I really have of my personal data. That's out there. All right. Here's my, so what transitioning a little bit from the consumer back to. Bill Russell commenting on this miso. What is healthcare has so many protections against competition that a breach will not likely lead to any customer loss, at least not yet. We should never really feel comfortable about that though. This does impact philanthropy. It impacts overall trust in it and the systems. It impacts clinician trust in it, in the systems as well. And each becomes a liability to the health system over time. Someday patients may become consumers and then events like this. We'll have a more substantive. Impact to health systems and their bottom line. But for now that is not the case. I just thought it would be fun to read this from a patient perspective because. Quite frankly, seeing it through their eyes. I hope that we are doing everything we possibly can to secure our systems. And I think we are from the stories that I'm hearing. That's all for today. If you know someone that might benefit from our channel, please forward them a note they can describe on our website this week health.com or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher, you get the picture. We are everywhere. We want to thank our channel sponsors who are investing in our mission. To develop the next generation of health leaders vmware hill-rom starbridge advisers, mcafee and a Reuben networks thanks for listening that's all for now