Neiman Marcus data breach hits 4.6 million customers

The breach took place last year, but details have only now come to light

Department store Neiman Marcus is notifying 4.6 million customers that their details were compromised after a 2020 data breach.

The store chain said in a statement an “unauthorized party” obtained personal information associated with certain Neiman Marcus customers' online accounts. The information included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts.

The incident occurred in May 2020, but the store has only just addressed the breach.

It added that around 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid. Data of Bergdorf Goodman and Horchow, which are part of the Neiman Marcus Group, were not affected by the breach. 

"At Neiman Marcus Group, customers are our top priority," CEO Geoffroy van Raemdonck said in a statement. "We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information."

The company has notified law enforcement and is working with Mandiant to investigate the security breach. The company has set up a website to help affected customers.

Related Resource

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Whitepaper front coverDownload now

George Papamargaritis, MSS Director of Obrela Security Industries, told IT Pro that this is a concerning incident given that the attack appears to have gone unnoticed for well over a year.

“As Neiman Marcus continues to investigate the breach, more information about exactly who’s personal data was impacted will come to light, however, in the meantime anyone notified about the breach should carefully review their bank statements between now and May last year to spot any fraudulent transactions. Any unfamiliar activity should then be reported to their bank. It will also be worthwhile working with credit reference agencies to also make sure no fraudulent credit applications have been taken out in their name,” he said.

Martin Jartelius, CSO, Outpost24, told IT Pro a shallow glance at this makes it look like yet another personal data breach, but this one is a bit different. 

“According to the information, not only have credit card numbers leaked which means that the company has been storing credit card numbers in a readable format, but also that 85% of those would have expired meaning that the organization had little to no justification to keep processing and storing those cards. While the breach notification is good, the lack of hygiene, in this case, is considerable,” he said.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Establishing a strong foundation for DataOps
Whitepaper

Establishing a strong foundation for DataOps

6 Jan 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021
Network virtualisation for dummies
Whitepaper

Network virtualisation for dummies

3 Dec 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021

Most Popular

Google Cloud to open new office in Pune, India
Cloud

Google Cloud to open new office in Pune, India

24 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022