Department store chain forces password reset after discovering 2020 incident last month

UPDATED US retail giant Neiman Marcus Group is alerting 4.6 million customers to a data breach that involves payment card and virtual gift card information.

The company, which runs 37 luxury department stores in 17 states, said an unauthorized party obtained information associated with customers’ online accounts in May 2020.

It said it discovered in the incident in September, some 17 months later.


Catch up with the latest cybersecurity news from the US


Stolen data “may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts”, said the company in a press release issued yesterday (September 30).

Neiman Marcus said 3.1 million payment and virtual gift cards were impacted, but more than 85% of these were “expired or invalid”.

It added that “no active Neiman Marcus-branded credit cards were impacted”, and that no evidence had yet surfaced that customers of Neiman Marcus subsidiaries Bergdorf Goodman and Horchow were affected.

Neiman Marcus said it has notified law enforcement of the incident, while an “investigation is ongoing and the company is working quickly to determine the nature and scope of the matter”.

Password reset

Upon learning of the incident, Neiman Marcus said it enforced “an online account password reset for affected customers who had not changed their password since May 2020”.

A dedicated call center and webpage have been set up to help customers protect themselves against fraud and identity theft.

“At Neiman Marcus Group, customers are our top priority,” said Geoffroy van Raemdonck, the company’s CEO.

“We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

Martin Jartelius, CSO of cybersecurity firm Outpost24, commented: “According to the information, not only have credit card numbers leaked which means that the company has been storing credit card numbers in a format that is readable, but also that 85% of those would have expired meaning that the organization had little to no justification to keep processing and storing those cards.

“While the breach notification is good, the lack of hygiene in this case is considerable.”

However, in response, a spokesperson for Neiman Marcus Group told The Daily Swig that “the affected credit cards were not stored in ‘readable form’ – they were encrypted using encryption algorithms AES128 and AES256”.


This article was updated on October 4 with comment from Neiman Marcus Group.


RELATED Data breach at US restaurant and gambling chain Dotty’s may have leaked sensitive customer information