American luxurious retailer Neiman Marcus Group (NMG) has simply disclosed a serious data breach impacting roughly 4.6 million customers. The breach occurred someday in May 2020 after “an unauthorized party” obtained the non-public data of some Neiman Marcus customers from their on-line accounts. Neiman Marcus is working with legislation enforcement businesses and has chosen cybersecurity firm Mandiant to help with the investigation.
Credit card and reward card numbers uncovered
Yesterday, Neiman Marcus disclosed that its 2020 data breach impacted about 4.6 million customers with Neiman Marcus on-line accounts. The private data of those customers was doubtlessly compromised in the course of the incident. The bits of data embody:
- Names, addresses, contact data
- usernames and passwords of Neiman Marcus on-line accounts
- Payment card numbers and expiration dates (though no CVV numbers)
- Neiman Marcus digital reward card numbers (with out PINs)
- Security questions of Neiman Marcus on-line accounts
For the tens of millions of customers being notified concerning the incident, “approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid,” mentioned the corporate in a statement launched Thursday. No energetic Neiman Marcus-branded bank cards had been impacted. As of now, there’s additionally no indication that on-line buyer accounts at Bergdorf Goodman or Horchow had been impacted.
Although the data breach occurred over a yr in the past, NMG states it grew to become conscious of the incident this September.
Customers prompted to reset passwords
It is not clear if the retail large had saved consumer account passwords in plaintext or in the event that they had been correctly hashed and salted—a cybersecurity apply that trade consultants have really helpful for the longest time.
Shortly after changing into conscious of the incident, Neiman Marcus started prompting customers to reset their passwords earlier than they may log in to their on-line accounts. “Our investigation is ongoing, and we are working quickly to determine the nature and scope of the matter. To protect our customers, we required an online account password reset for affected customers who had not changed their password since May 2020.” Consumers also needs to change their passwords for accounts on different web sites the place they’d used an identical or identical password because the one for his or her Neiman Marcus account.
Neiman Marcus has arrange a devoted webpage accessible from within the US (archived copy) that instructs customers to maintain a watch out for unauthorized transactions. Affected people may request a replica of their credit score report at no cost. Although it’s value noting, the free credit score report is offered by annualcreditreport.com, a joint initiative by Experian, TransUnion, and Equifax, which US customers have free entry to. At this time, Neiman Marcus doesn’t look like offering free credit score monitoring providers to impacted customers—a courtesy that has more and more turn into the norm for many organizations hit by breaches regarding client PII and cost data.
Prior to this incident, in 2014 Neiman Marcus had disclosed a malware incident that compromised over 1 million payment cards, of which 2,400 had been used fraudulently in consequence.
“At Neiman Marcus Group, customers are our top priority,” says Neiman Marcus CEO Geoffroy van Raemdonck. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”
NMG has arrange a devoted help middle at (866) 571-9725 that customers can ring seven days per week and point out “engagement number B019206.” In addition to monitoring their cost card exercise, customers also needs to be careful for Neiman Marcus-themed phishing emails concentrating on them.