Categories
News

Neiman Marcus Says 4.6M Affected by Data Breach | #emailsecurity | #phishing | #ransomware | #education | #technology | #infosec


Account Takeover Fraud
,
Card Not Present Fraud
,
Cybercrime

Exposed Data Includes Login Credentials, Security Questions

Photo: Neiman Marcus Group

Dallas-based Neiman Marcus Group says it is notifying 4.6 million of its online customers who are affected by a data breach that occurred in May 2020.

See Also: OnDemand Webinar | Cloud applications: A Zero Trust approach to security in Healthcare

The compromised data includes usernames, passwords, security questions and answers linked with online accounts. Neiman Marcus has triggered a password reset for accounts that have not changed their passwords since the breach.

The other compromised data varies but may have included names and contact information, Neiman Marcus says in a news release.

Around 3.1 million payment cards and virtual gift cards are affected, but more than 85% of those cards are either invalid or have expired. Payment card numbers and expiration dates were exposed, but not the CVVs, which are the three-digit security codes on the reverse of a card. Gift card PINs were not exposed.

No active Neiman Marcus-branded credit cards were impacted, and it says that it has no evidence that online accounts for Bergdorf Goodman or Horchow, which are related brands owned by the group, were affected.

Neiman Marcus didn’t offer an explanation as to why there’s a 16-month gap between when the breach occurred and when it started notifying those affected. A spokesperson says Neiman Marcus became aware of the latest issue in early September.

It has retained the cybersecurity firm Mandiant to conduct a forensic investigation. Neiman Marcus began sending email notices to those affected on Thursday, the spokesperson says.

Past Breaches

The latest incident adds to a rough history for Neiman Marcus, which was targeted by attackers in 2013 and 2015.

In 2013, attackers installed malware on the company’s systems that collected payment card data. The malware was active for about four months that year, and it grabbed data for 370,000 payment cards. Some 9,200 cards were fraudulently used.

Following the incident, Neiman Marcus faced class-action lawsuits and was sued by 43 states. It reached a settlement in 2019, agreeing to pay $1.5 million (see Neiman Marcus Settles Lawsuit Over Payment Card Breach).

The settlement also required that Neiman Marcus ensure that attackers could not steal usable cardholder data from its systems and employ technologies such as encryption and tokenization. It was also required to ensure it was compliant with the Payment Card Industry’s Data Security Standard, or PCI-DSS, and have EMV-capable systems, which can process cards with an embedded microchip.

In December 2015, attackers managed to compromise 5,200 online accounts, about 70 of which were used to make fraudulent purchases. Neiman Marcus updated its disclosure in April 2017, saying that the attackers actually had full access to card numbers and expiration dates (see Neiman Marcus: 2015 Breach Exposed Full Card Details).

Also in April 2017, Neiman Marcus disclosed an incident in January of that year that affected the websites of Neiman Marcus and related brands, including Bergdorf Goodman, Last Call, CUSP, Horchow and a loyalty program called InCircle. The attack recycled stolen credentials from others sites and exposed some customers’ names, contact information, email addresses, purchase histories and the last four digits of payment card numbers.





Source link