American luxury retailer Neiman Marcus Group (NMG) has just disclosed a major data breach impacting approximately 4.6 million customers. The breach occurred sometime in May 2020 after “an unauthorized party” obtained the personal information of some Neiman Marcus customers from their online accounts. Neiman Marcus is working with law enforcement agencies and has selected cybersecurity company Mandiant to assist with the investigation.
Credit card and gift card numbers exposed
Yesterday, Neiman Marcus disclosed that its 2020 data breach impacted about 4.6 million customers with Neiman Marcus online accounts. The personal information of these customers was potentially compromised during the incident. The bits of information include:
- Names, addresses, contact information
- usernames and passwords of Neiman Marcus online accounts
- Payment card numbers and expiration dates (although no CVV numbers)
- Neiman Marcus virtual gift card numbers (without PINs)
- Security questions of Neiman Marcus online accounts
For the millions of customers being notified about the incident, “approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid,” said the company in a statement released Thursday. No active Neiman Marcus-branded credit cards were impacted. As of now, there’s also no indication that online customer accounts at Bergdorf Goodman or Horchow were impacted.
Although the data breach occurred over a year ago, NMG states it became aware of the incident this September.
Customers prompted to reset passwords
It isn’t clear if the retail giant had stored user account passwords in plaintext or if they were properly hashed and salted—a cybersecurity practice that industry experts have recommended for the longest time.
Shortly after becoming aware of the incident, Neiman Marcus began prompting customers to reset their passwords before they could log in to their online accounts. “Our investigation is ongoing, and we are working quickly to determine the nature and scope of the matter. To protect our customers, we required an online account password reset for affected customers who had not changed their password since May 2020.” Consumers should also change their passwords for accounts on other websites where they had used a similar or same password as the one for their Neiman Marcus account.
Neiman Marcus has set up a dedicated webpage accessible from within the US (archived copy) that instructs customers to keep an eye out for unauthorized transactions. Affected individuals can also request a copy of their credit report at no charge. Although it is worth noting, the free credit report is provided by annualcreditreport.com, a joint initiative by Experian, TransUnion, and Equifax, which US consumers have free access to. At this time, Neiman Marcus does not appear to be providing free credit monitoring services to impacted consumers—a courtesy that has increasingly become the norm for most organizations hit by breaches concerning consumer PII and payment information.
Prior to this incident, in 2014 Neiman Marcus had disclosed a malware incident that compromised over 1 million payment cards, of which 2,400 were used fraudulently as a result.
“At Neiman Marcus Group, customers are our top priority,” says Neiman Marcus CEO Geoffroy van Raemdonck. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”
NMG has set up a dedicated support center at (866) 571-9725 that consumers can ring seven days a week and mention “engagement number B019206.” In addition to monitoring their payment card activity, consumers should also watch out for Neiman Marcus-themed phishing emails targeting them.