Neiman Marcus sends notices of breach to 4.3 million customers

Neiman Marcus, the Texas-based luxury department stores chain, is sending notices of a data breach to roughly 4.3 million customers.

According to the letter, which has been shared with Maine’s Attorney General’s office, the data breach unfolded back in May 2020 when a cyber-intruder gained access to a large number of online account credentials and used them to access private customer information. The firm discovered the incident only on September 9, 2021. 

While Neiman Marcus has not explained how their systems were breached, they state that sensitive customer information was exposed, including:

• Online account username
• Online account password
• credit card number and expiration date
• Security questions and the matching answers
• Neiman Marcus virtual gift card number
• Shipping address
• Contact information

The retail out states that no CVV numbers were stored in Neiman Marcus’ systems, making it harder to use the stolen payment card details.

Furthermore, over 85% of the 3.1 million virtual gift cards that have been compromised were already invalidated (used) or expired. And finally, no gift card PINs were exposed to hackers.

Neiman Marcus forced a reset on the affected customers’ online accounts, and recipients will have to set up a new password to access their accounts.

The data breach notification doesn’t clarify if the passwords were hashed and salted or if they were stored in plain text form, so if you are using the same credentials elsewhere, you should change them immediately.

No protection offered

The issue that remains is the partial information on people’s payment cards. While these are not directly usable, they’re far from being worthless.

Unfortunately, the firm hasn’t offered free credit monitoring or identity theft protection services that typically accompany these announcements. Instead, people are merely advised to monitor their bank statements and report any transactions they don’t recognize to the card issuer as soon as possible.

Placing a security freeze on your credit file is recommended to avoid having this information used in identity theft or other fraudulent activity.

Another thing to watch out for are phishing emails that use this particular incident as a lure to trick you into giving away sensitive data.

You should only set up a new password directly through the Neiman Marcus portal and not click on any links sent via email urging you to reset your credentials.

According to statement shared with Reuters, the divisions of Bergdorf Goodman and Horchow have not been affected by this incident.