The luxury retailer notified law enforcement and is “working closely” with cybersecurity firm Mandiant to investigate the unauthorized access t0 personal customer information including names, contact details, payment card numbers and expiration dates. Virtual Neiman Marcus gift card numbers, not including PIN details, may also have been compromised, along with usernames, passwords, and security questions and answers customers used to access their online Neiman accounts.
Neiman required affected customers to rest their account password if they have not done so since May 2020. Notified customers were linked to roughly 3.1 million payment and virtual gift cards, more than 85 percent of which have since expired or are invalid.
“No active Neiman Marcus-branded credit cards were impacted,” the company said. “At this time, the company has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.”
CEO Geoffroy van Raemdonck added that customers remain the company’s “top priority.” “We are working hard to support our customers and answer questions about their online accounts,” he said, adding that Neiman “will continue to take actions to enhance our system security and safeguard information.”
This is not Neiman’s first brush with data insecurity. In 2019, the retailer paid $1.5 million to settle claims relating to 2014 malware attack that compromised 370,000 payment cards. But the timing of this new security incident could hardly be worse, as retailers across the spectrum encourage consumers to start their holiday shopping early.
Of course, Neiman is far from the only retailer to struggle with cybersecurity. Macy’s, Under Armour, Saks Fifth Avenue and Sears have all been breached in the past several years. The retail sector is a prime target for data breaches, given the volume of online purchases made each day.
But the December 2013 Target breach might be the worst in retail history, compromising some 40 million payment cards and the personal information of as many as 110 million customers. In August 2015, the chain agreed to pay Visa card issuers up to $67 million in costs related the the security breakdown. Five months earlier, Target committed to paying $10 million to settle a class-action lawsuit. The incident cost the company $162 million over two years.