3.1M Neiman Marcus Customer Card Details Breached

Experts say the detection delay of 17 months is a colossal security blunder by the retailer. 

Dallas-based Neiman Marcus Group is known worldwide as the go-to luxury retailer for the well-heeled. But their reputation for impeccable quality just took a big hit with revelations that the company was breached by an attacker back in May 2020.

It took 17 months for the retailer to notice.

Just this week, Neiman Marcus acknowledged the compromise, which included personal customer information like names, contact information, payment card information (without CVV codes), gift card numbers (without PINs), usernames, passwords and even security questions associated with online Neiman Marcus accounts.

Infosec Insiders Newsletter

In total, Neiman Marcus, which also controls the brands Bergdorf Goodman, Neiman Marcus Last Call and Horchow, said 3.1 million cards were affected. But more than 85 percent of those had already expired, the company said.

“No active Neiman Marcus-branded credit cards were impacted,” the company’s statement said. “At this time, the Company has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.”

Neiman Marcus is working with law enforcement and cybersecurity company Mandiant to get more information about the retailer’s compromise, the company said.

“At Neiman Marcus Group, customers are our top priority,” Geoffroy van Raemdonck, the company’s CEO, said in the announcement of the breach. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

Undetected NMG Breach ‘Dangerous’ for Customers

But security experts say it’s too late for Neiman Marcus to protect its customers and that the delay in detection of the unauthorized access makes the situation more dire.

“The breach occurred before Neiman Marcus filed for bankruptcy in September 2020, which could have caused a delay in identification,” said Quentin Rhoads, director of professional services at security firm CriticalStart. “From a security perspective it is very dangerous for a company to go this long without detecting and responding to a breach. More damage could have been done that has yet [to be] discovered.”

He said it’s likely the attackers sold off the access to NMG’s systems to someone else for later abuse.

“Even though most of the credit cards and gift cards stolen don’t contain data like pins and CVVs, and are probably expired, the theft of usernames and passwords is concerning,” Rhoads added. “This data more than likely would be sold to other attackers who can use this for crimes such as [identity] theft in conjunction with the other personal information stolen.”

He also said it’s going to be hard to find any firm evidence of the breach, since so much time has passed since the initial compromise.

“More than likely, critical evidence is no longer present in their systems,” Rhoads said. “They could easily be unable to identify the initial point of the breach, what other areas did the attackers get access to, what the attackers did outside of stealing data. All of these points are critical for an organization to understand to appropriately notify [affected] parties, identify pathways to prevent this in the future, and [to provide] critical evidence to law enforcement to further criminal investigations.”

Lack of Security at Many Orgs Is ‘Staggering’

Chris Clements, VP of solutions architecture at Cerberus Sentinel, was blunter about Neiman Marcus’ security blunder.

“The lack of both prevention and detection capabilities at many organizations is simply staggering,” Clements said. “I try as much as possible to shy away from victim blaming, but in many circumstances, organizations have been grossly negligent in securing customer data.”

Clements added that in many breaches, it’s very easy for an attacker to get their hands on customer data.

“Despite the press releases that almost never fail to describe the attackers or attack methods as ‘highly sophisticated,’ the reality is that most breaches aren’t some ‘super cyber heist plot’ out of a bad movie, but rather akin so some guy walking in the front door and wheeling out a file cabinet and no one is around to notice.”

Justin Fier, a director with Darktrace, said Neiman Marcus’s security team should assume the attacker has been lurking in its systems since May 2020. He adds that it’s the responsibility of Neiman Marcus to adopt a more modern security strategy.

“Today, the most cyber mature retailers are relying on artificial intelligence for everything from credit fraud to supply logistics and, of course, to continually monitor their risk across globally distributed networks and complex digital infrastructures,” Fier said. “As retailers like Neiman Marcus adapt to a more virtual world and embrace innovations to support remote shopping (like its recently announced virtual sneaker showroom) we should expect attacks on the industry to increase. These innovations open more avenues for attackers to poke to access the private data of consumers. Businesses have a responsibility to ensure their consumers’ personal data is protected with the best defensive technology available to them.”

For now, Neiman Marcus is asking customers to reset their passwords and has set up a call center for those concerned about their information being compromised.

Nick Sanna, CEO of RiskLens, said retailers are under both ethical and regulatory obligations to protect customer data.

“They have an obligation to keep this sensitive customer data safe and out of the hands of the wrong people, obligations that are both ethical and regulatory in nature,” Sanna said. “The outcome of not doing this is exactly what Neiman Marcus Group is now facing.”

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles