The attack against Neiman Marcus Group took place in May 2020, as a result of the attack, threat actors had access to customers’ information, including payment card data.
Exposed personal information includes names and contact information, usernames, passwords, and answers to security questions associated with online accounts.
The security breach impacted 4.6 million online customers, 3.1 million payment and virtual gift cards were compromised, 85% of which were either expired or invalid.
The attackers had access to payment card numbers and expiration dates, while CVV numbers were not compromised. The company also added that virtual gift card numbers, PINs were not compromised too.
“The personal information for affected Neiman Marcus customers varied and may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts. Approximately 4.6 million Neiman Marcus online customers are being notified of this issue.” states the data breach notification. “For these customers, approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid.”
According to the NMG, it has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.
The luxury retail company is already notifying the impacted customers, while the investigation is still ongoing.
In response to the security breach, NMG is requiring an online account password reset for affected customers who had not changed their password since May 2020.
“At Neiman Marcus Group, customers are our top priority,” said Geoffroy van Raemdonck, Chief Executive Officer. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”
In early 2014, Neiman Marcus disclosed another data breach, at the time attackers had access to its customers’ data, including payment information of those who visited its stores.
(SecurityAffairs – hacking, Data breach)