Neiman Marcus Gets Hacked

The luxury retailer notified 4.6 million customers that information from their online accounts may have been illegally accessed.

October 1, 2021, 8:27am

The lit Neiman Marcus exterior at the Roosevelt Field Mall in Garden City, N.Y.

The Neiman Marcus Group has learned that certain personal information from the accounts of millions of customers shopping Neiman Marcus online was accessed in a data hack.

While data breaches are not uncommon in retail and other industries, Neiman’s disclosure late Thursday raises questions whether the company has not sufficiently invested in technology infrastructure and systems that would help prevent cyberattacks.

“At Neiman Marcus Group, customers are our top priority,” Geoffroy van Raemdonck, chief executive officer, said in a statement. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

Neiman’s said it had notified about 4.6 million online customers that their personal information may have been accessed in the hack and that it notified law enforcement of the issue, which occurred in May 2020, and is working closely with Mandiant, a cybersecurity expert, to investigate.

The Dallas-based luxury retailer also said the personal information for affected Neiman Marcus customers varied and may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs), and usernames, passwords and security questions and answers associated with Neiman Marcus online accounts.

Of the 4.6 million Neiman Marcus online customers being notified, about 3.1 million payment and virtual gift cards were affected, more than 85 percent of which are expired or invalid, the company said

No active Neiman Marcus-branded credit cards were impacted, the company added. As of Friday, the retailer has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected. Bergdorf’s and Horchow are divisions of Neiman Marcus Group.

It’s not the first time Neiman’s has suffered a data breach. In January 2014, the company disclosed it was hacked in 2013, exposing credit card data. At that time, about 370,000 Neiman Marcus credit cards were accessed by an unknown party. Neiman’s was required by the Texas attorney general to implement new procedures to protect customers’ personal information in the wake of concerns that the retailer didn’t act fast enough to inform customers of that breach. Neiman’s ended up paying $1.6 million to end a lawsuit over the data breach that left the credit card information of hundreds of thousands of shoppers potentially exposed.

Reacting to this latest breach, one retail source questioned whether Neiman’s has invested enough in technology and systems to create a secure environment for information and transactions. “Neiman Marcus Group has an underfunded IT infrastructure including systems that safeguard customer information and data as well as order management with vendors. If you play in the world of online customers and credit card information, you have to spend enough on the IT infrastructure,” said the source. “Many retailers have spent huge amounts of money on upgrades, millions and millions.”

The source also suggested that the latest breach occurred during Neiman’s bankruptcy last year, caused by the company’s debt load and the pandemic. The company filed for Chapter 11 bankruptcy on May 7, 2020 and emerged from the proceedings in September 2020, with new owners and vastly reduced debt.

A company spokesperson told WWD on Friday that NMG learned of the breach last month. No date was specified. “Promptly after learning of the issue, the company engaged a leading cybersecurity expert and notified law enforcement,” the spokesperson said. “To protect our customers, the company required an online account password reset for affected customers who had not changed their password since May 2020. The company will continue to take actions to enhance our system security and safeguard information.”

The company has set up a call center at 866-571-9725 to help customers. Callers should be prepared to provide engagement number B019206. The company also has set up a Neiman Marcus webpage with additional information.

The company indicated in its statement that investments in data and technology “allow us to scale a personalized luxury experience.”

“After a breach, you often see significant amounts of investment. Shareholders and management place a lot of focus on cybersecurity, but in general organizations are often faced with difficult business decisions on where to be in risk management,” said J.R. Tietsort, chief information security officer for Aura, a digital security company focused on protecting consumers from identity theft and securing their privacy.

Tietsort said many big retailers have been investing in cyber security. “They all want to do the right thing with customer data, but breaches overall have not slowed. The tools to do this are readily available on the dark web. There’s a global population of low-skilled folks that can organize these attacks.”

He said there are many areas to invest in terms of protecting data including technology staff, security experts and encrypting, which is costly.

Data breaches often take a long time to detect due to the complexity of retail IT networks and applications that are not always monitored effectively. Furthermore, “malicious (cyber) attackers are careful about when, where and how they access and exploit companies. They specialize in hiding their network connections among the regular noise of the internet traffic. It’s a needle in the haystack problem. For a company to see that needle requires them to be really mature and developed around cyber defense capabilities.” If that’s not the case, often a law enforcement agency working on some other issue or case uncovers the data breach, Tietsort explained.

He also said there are regulatory obligations requiring companies to have third parties monitoring for data breaches, and in rare cases, a consumer whose bank account was hacked could inform a retailer of the situation if the consumer used the same user name and password in both places.

“It’s prohibitively expensive to become 100 percent foolproof,” from cyber attacks, said Tiersort. “Most organization can’t afford that level of spend, but many organizations have reasonable budgets and are doing it very well.”

“This breach where almost 5 million Neiman Marcus customers had their credit card numbers, names and contact information and other personal information exposed is another example of customers facing potential personal impact but ultimately little control over the situation,” Josh Yavor, chief information security officer for Tessian, said in a statement. Tessian is a company that works to stop data breaches and security threats caused by human error — like data exfiltration, accidental data loss, and phishing attacks, according to the firm’s website.

“While the personal identifying information [PII] in this case was varied, attackers often use this type of information to launch convincing social engineering attacks against victims of the breach,” Yavor said. “For example, attackers could send phishing emails to individuals whose contact details were breached, asking them to click a link to update their username and password in the wake of the incident while referencing the last four digits of their card number, in order to harvest credentials and gain access to additional accounts.

“Consumers are not empowered or equipped to protect themselves independently,” Yavor added. “While consumers can, and should, practice good security hygiene including using strong and unique passwords, keeping their devices and browsers updated, and being on guard for social engineering attacks, service providers that store or require the use of PII have the ultimate responsibility for protecting consumers from harm. In the U.S., for example, consumer protection laws provide significant protection in the event of stolen credit cards. The same protections do not exist for debit cards, though. Additionally, companies that rely on PII for authentication and identity verification to provide services or make high-risk changes, such as changing SIM cards with a cellular provider, need to be proactive in defending consumers against fraudulent use of exposed PII.”