US luxury retailer Neiman Marcus Group (NMG) has just revealed a major data breach affecting approximately 4.6 million customers. The breach occurred sometime in May 2020 after “an unauthorized party” obtained the personal information of some Neiman Marcus customers from their online accounts. Neiman Marcus is working with law enforcement agencies and has selected the cybersecurity firm Mandiant to assist with the investigation.
Credit card and gift card numbers exposed
Yesterday, Neiman Marcus revealed that its 2020 data breach affected some 4.6 million customers with Neiman Marcus online accounts. The personal information of these customers was potentially compromised during the incident. Information bits include:
- Names, addresses, contact information
- usernames and passwords for Neiman Marcus online accounts
- Payment card numbers and expiration dates (although there are no CVV numbers)
- Neiman Marcus Virtual Gift Card Numbers (no PIN)
- Neiman Marcus Online Account Security Questions
For the millions of customers notified about the incident, “approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid,” the company said in a statement released Thursday. No active Neiman Marcus brand credit cards were affected. As of now, there is also no indication that Bergdorf Goodman or Horchow’s online customer accounts have been affected.
Although the data breach occurred more than a year ago, NMG claims that it learned of the incident in September.
Customers are asked to reset passwords
It’s unclear if the retail giant had stored user account passwords in plain text or if they were properly encrypted and salty, a cybersecurity practice that industry experts have long recommended.
Shortly after realizing the incident, Neiman Marcus began urging customers to reset their passwords before they could log into their accounts online. “Our investigation is ongoing and we are working rapidly to determine the nature and scope of the matter. To protect our customers, we request an online account password reset for affected customers who have not changed their password since May 2020 “. Consumers should also change their passwords for accounts on other websites where they have used a similar or the same password as their Neiman Marcus account.
Neiman Marcus has created a dedicated website accessible from within the US (archived copy) that instructs customers to be on the lookout for unauthorized transactions. Affected individuals can also request a copy of their credit report free of charge. Although it is worth noting, the free credit report is provided by annualcreditreport.com, a joint initiative of Experian, TransUnion and Equifax, to which American consumers have free access. At this time, Neiman Marcus does not appear to be providing free credit monitoring services to affected consumers, a courtesy that has increasingly become the norm for most organizations affected by breaches related to consumer PII and the Payment information.
Prior to this incident, in 2014 Neiman Marcus had revealed a malware incident that compromised more than 1 million payment cards, of which 2,400 were used fraudulently as a result.
“At Neiman Marcus Group, customers are our top priority,” says Geoffroy van Raemdonck, CEO of Neiman Marcus. “We work hard to help our customers and answer questions about their accounts online. We will continue to take steps to improve the security of our system and safeguard information.”
NMG has established a dedicated support center at (866) 571-9725 that consumers can call seven days a week and mention the “commitment number B019206”. In addition to monitoring their payment card activity, consumers should also be on the lookout for Neiman Marcus-themed phishing emails directed at them.