Neiman Marcus data breach hits 4.6 million customers

Department store Neiman Marcus is notifying 4.6 million customers that their details were compromised after a 2020 data breach.

The store chain said in a statement an “unauthorized party” obtained personal information associated with certain Neiman Marcus customers' online accounts. The information included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts.

The incident occurred in May 2020, but the store has only just addressed the breach.

It added that around 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid. Data of Bergdorf Goodman and Horchow, which are part of the Neiman Marcus Group, were not affected by the breach.

"At Neiman Marcus Group, customers are our top priority," CEO Geoffroy van Raemdonck said in a statement. "We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information."

The company has notified law enforcement and is working with Mandiant to investigate the security breach. The company has set up a website to help affected customers.

George Papamargaritis, MSS Director of Obrela Security Industries, told IT Pro that this is a concerning incident given that the attack appears to have gone unnoticed for well over a year.

“As Neiman Marcus continues to investigate the breach, more information about exactly who’s personal data was impacted will come to light, however, in the meantime anyone notified about the breach should carefully review their bank statements between now and May last year to spot any fraudulent transactions. Any unfamiliar activity should then be reported to their bank. It will also be worthwhile working with credit reference agencies to also make sure no fraudulent credit applications have been taken out in their name,” he said.

Martin Jartelius, CSO, Outpost24, told IT Pro a shallow glance at this makes it look like yet another personal data breach, but this one is a bit different.

“According to the information, not only have credit card numbers leaked which means that the company has been storing credit card numbers in a readable format, but also that 85% of those would have expired meaning that the organization had little to no justification to keep processing and storing those cards. While the breach notification is good, the lack of hygiene, in this case, is considerable,” he said.