Neiman Marcus information breach impacts 4.6 million clients
American luxury retailer Neiman Marcus Group (NMG) has just announced a serious data breach that affects around 4.6 million customers. The breach occurred sometime in May 2020 after “an unauthorized party” obtained the personal information of some Neiman Marcus customers from their online accounts. Neiman Marcus works with law enforcement agencies and has selected cybersecurity company Mandiant to assist in the investigation.
Credit card and gift card numbers disclosed
Yesterday, Neiman Marcus announced that its 2020 data breach affected approximately 4.6 million customers with Neiman Marcus online accounts. These customers’ personal information may have been compromised during the incident. The information includes:
- Names, addresses, contact details
- Usernames and passwords from Neiman Marcus online accounts
- Payment card numbers and expiration dates (but not CVV numbers)
- Neiman Marcus virtual gift card numbers (without PINs)
- Neiman Marcus Online Account Security Issues
Of the millions of customers who were informed about the incident, “around 3.1 million payment and virtual gift cards were affected, more than 85% of which have expired or are invalid,” said the company in a statement released on Thursday. No active Neiman Marcus brand credit cards were affected. There are also no online customer accounts with Bergdorf Goodman or Horchow.
Although the data breach occurred over a year ago, NMG said it became aware of the incident in September.
Customers asked to reset passwords
It’s not clear if the retail giant had user account passwords stored in clear text or if they were properly hashed and salted – a cybersecurity practice industry experts have long recommended.
Shortly after Neiman Marcus became aware of the incident, he asked his customers to reset their passwords before they could log into their online accounts. “Our investigations are ongoing and we are working quickly to determine the nature and scope of the matter. To protect our customers, we have requested an online reset of the password for the account for affected customers who have not changed their passwords since May 2020. ” Consumers should also change their passwords for accounts on other websites that have used a similar or the same password as their Neiman Marcus account.
Neiman Marcus has set up a dedicated webpage accessible from the US (archived copy) that instructs customers to keep an eye out for unauthorized transactions. Affected individuals can also request a copy of their credit report free of charge. While it’s worth noting, the free credit report is provided by annualcreditreport.com, a joint effort by Experian, TransUnion, and Equifax that US consumers have access to for free. At this time, Neiman Marcus does not appear to be offering free credit monitoring services to affected consumers – a courtesy that has become the norm for most businesses affected by consumer PII and payment information violations.
Prior to this incident, Neiman Marcus announced a malware incident in 2014 that compromised over 1 million payment cards, 2,400 of which were used fraudulently.
“At the Neiman Marcus Group, customers have top priority,” says Neiman Marcus CEO Geoffroy van Raemdonck. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take steps to improve our system security and protect information.”
NMG has set up a dedicated support center at (866) 571-9725 that consumers can call seven days a week and call the “Engagement number B019206”. In addition to monitoring their payment card activity, consumers should also be on the lookout for Neiman-Marcus-themed phishing emails targeting them.