Data Breach Compromises 3.1M Neiman Marcus Customer Card Details

Dallas-based Neiman Marcus Group has been hit in a data breach dating back well over a year. The clothing company took 17 months to notice the breach, which affected 3.1M customers. This week, Neiman Marcus acknowledge the data breach, stating that included personal customer information like names, contact information, payment card information (without CVV codes), gift card numbers (without PINs), usernames, passwords, and even security questions associated with online Neiman Marcus accounts.

The group, which also controls the brands Bergdorf Goodman, Neiman Marcus Last Call, and Horchow, said 3.1 million cards were affected in total during the data breach.

“No active Neiman Marcus-branded credit cards were impacted,” the company’s statement said. “At this time, the Company has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.”

Neiman Marcus is working with law enforcement and cybersecurity company Mandiant to get more information about the retailer’s data breach, the company said.

“At Neiman Marcus Group, customers are our top priority,” Geoffroy van Raemdonck, the company’s CEO, said in the announcement of the data breach. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

It is believed that given the time it took Neiman Marcus to disclose the data breach, many of the cards that were exposed are expired.

While Neiman Marcus is seemingly playing down the data breach, Chris Clements, VP of solutions architecture at Cerberus Sentinel, was blunter.

“The lack of both prevention and detection capabilities at many organizations is simply staggering,” Clements said. “I try as much as possible to shy away from victim blaming, but in many circumstances, organizations have been grossly negligent in securing customer data.”

Clements added that in many breaches, it’s very easy for an attacker to get their hands on customer data.

“Despite the press releases that almost never fail to describe the attackers or attack methods as ‘highly sophisticated,’ the reality is that most breaches aren’t some ‘super cyber heist plot’ out of a bad movie, but rather akin so some guy walking in the front door and wheeling out a file cabinet and no one is around to notice.”

Justin Fier with Darktrace, said that Neiman Marcus’s IT security team should take the position that the hackers involved have been lurking within their system since May 2020 when the initial attack took place. He adds that it’s the responsibility of Neiman Marcus to adopt a more modern security strategy.

“Today, the most cyber mature retailers are relying on artificial intelligence for everything from credit fraud to supply logistics and, of course, to continually monitor their risk across globally distributed networks and complex digital infrastructures”.

“As retailers like Neiman Marcus adapt to a more virtual world and embrace innovations to support remote shopping (like its recently announced virtual sneaker showroom) we should expect attacks on the industry to increase. These innovations open more avenues for attackers to poke to access the private data of consumers. Businesses have a responsibility to ensure their consumers’ personal data is protected with the best defensive technology available to them.” Fier continued.

At the moment, Neiman Marcus is asking customers to reset their passwords and has set up a call center for those concerned about their information being compromised during the data breach.

Nick Sanna, CEO of RiskLens, said retailers are under both ethical and regulatory obligations to protect customer data.

“They have an obligation to keep this sensitive customer data safe and out of the hands of the wrong people, obligations that are both ethical and regulatory in nature,” Sanna said. “The outcome of not doing this is exactly what Neiman Marcus Group is now facing.”