Neiman Marcus Says 4.6 Million Affected by Data BreachExposed Data Includes Login Credentials, Security Questions
Dallas-based Neiman Marcus Group says it is notifying 4.6 million of its online customers who are affected by a data breach that occurred in May 2020.
The compromised data includes usernames, passwords, and security questions and answers linked with online accounts. Neiman Marcus has triggered a password reset for accounts that have not changed their passwords since the breach.
The other compromised data varies but may have included names and contact information, Neiman Marcus says in a news release.
Around 3.1 million payment cards and virtual gift cards are affected, but more than 85% of those cards are either invalid or have expired. Payment card numbers and expiration dates were exposed, but not the CVVs, which are the three-digit security codes on the back of a card. Gift card PINs were not exposed.
No active Neiman Marcus-branded credit cards were affected, and the company says that it has no evidence that online accounts for Bergdorf Goodman or Horchow, which are related brands owned by the group, were affected.
Neiman Marcus didn't offer an explanation for the 16-month gap between when the breach occurred and when the company started notifying those affected. A spokesperson says Neiman Marcus became aware of the latest issue in early September.
It has retained the cybersecurity firm Mandiant to conduct a forensic investigation. Neiman Marcus began sending email notices to those affected on Thursday, the spokesperson says.
The latest incident adds to a rough history for Neiman Marcus, which was targeted by attackers in 2013 and 2015.
In 2013, attackers installed malware on the company's systems that collected payment card data. The malware was active for about four months that year, and it grabbed data for 370,000 payment cards. Some 9,200 cards were fraudulently used.
Following the incident, Neiman Marcus faced class action lawsuits and was sued by 43 states. It reached a settlement in 2019, agreeing to pay $1.5 million (see: Neiman Marcus Settles Lawsuit Over Payment Card Breach).
The settlement also required that Neiman Marcus ensure that attackers could not steal usable cardholder data from its systems and employ technologies such as encryption and tokenization. It was also required to ensure it was compliant with the Payment Card Industry's Data Security Standard, or PCI-DSS, and have EMV-capable systems, which can process cards with an embedded microchip.
In December 2015, attackers managed to compromise 5,200 online accounts, about 70 of which were used to make fraudulent purchases. Neiman Marcus updated its disclosure in April 2017, saying that the attackers actually had full access to card numbers and expiration dates (see: Neiman Marcus: 2015 Breach Exposed Full Card Details).
Also in April 2017, Neiman Marcus disclosed an incident in January of that year that affected the websites of Neiman Marcus and related brands, including Bergdorf Goodman, Last Call, CUSP, Horchow and a loyalty program called InCircle. The attack recycled stolen credentials from others sites and exposed some customers' names, contact information, email addresses, purchase histories and the last four digits of payment card numbers.