Luxury retailer Niemen Marcus Group (NMG) learned an unauthorized party obtained personal information associated to certain Neimen Marcus’ online accounts in May of 2020. NMG is notifying 4.6 million of its online customers about the data breach that happened last year. The company is working with cybersecurity expert, Mandiant to investigate the incident.
The personal information for affected customers is varied, according to a statement from the company. Compromised details may have included information such as payment card numbers, expiration dates (without CVV numbers), virtual giftcard numbers (without PINS), usernames, passwords, security questions and answers associated with Neimen Marcus accounts.
According to the company, approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid. No active Neiman Marcus-branded credit cards were impacted.
Related: Report: Pandemic Led to More Expensive Data Breaches
NMG is requiring an online account password reset for affected customer who have not changed their passwords since May of 2020. NMG has set up a call center and webpage for those impacted by the data breach.
“At Neiman Marcus Group, customers are our top priority,” said Geoffroy van Raemdonck, Chief executive officer in a statement. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”
Martin Jartelius, CSO, Outpost24, told IT Pro, “According to the information, not only have credit card numbers leaked which means that the company has been storing credit card numbers in a readable format, but also that 85% of those would have expired meaning that the organization had little to no justification to keep processing and storing those cards. While the breach notification is good, the lack of hygiene, in this case, is considerable,” he said.
This incident comes in the wake of certain industry groups worrying about forthcoming legislation when it comes to disclosing breached data and other cyber threats.
Leave a Reply