Neiman Marcus says May 2020 breach includes millions of payment card numbers and expiration dates | ZDNet

Department store giant Neiman Marcus has announced a data breach involving nearly 5 million customer accounts that included payment card numbers and expiration dates alongside other personal information.

In a statement, the company said the breach occurred more than a year ago in May 2020. The company told ZDNet that they only discovered the breach in September 2021. 

The 114-year-old company filed for bankruptcy last year and said it owed between $1 billion and $10 billion to more than 50,000 creditors. 

Neiman Marcus said it hired Mandiant to investigate the data breach and has notified law enforcement about what happened. The company said it is still trying to “determine the nature and scope” of the breach. 

“The personal information for affected Neiman Marcus customers varied and may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts,” the company explained. 

“Approximately 4.6 million Neiman Marcus online customers are being notified of this issue. For these customers, approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid. No active Neiman Marcus-branded credit cards were impacted.” 

The company added that they do not believe any Bergdorf Goodman or Horchow online customer accounts were included in the breach. 

Neiman Marcus said it has created a call center to answer questions about the issue at (866) 571-9725 as well as a website for potential victims. 

Quentin Rhoads, a director at cybersecurity firm CRITICALSTART, theorized that the company waited so long to notify affected customers because of the bankruptcy filing. 

“From a security perspective it is very dangerous for a company to go this long without detecting and responding to a breach. More damage could have been done that has yet been discovered. It is also not uncommon for attackers to sell their access to a breached company as part of their revenue generating plan which means there might be a chance attackers still have access,” Rhoads said. 

“Even though most of the credit cards and gift cards stolen don’t contain data like pins and CVVs, and are probably expired, the theft of usernames and passwords is concerning. This data more than likely would be sold to other attackers who can use this for crimes such as identify theft in conjunction with the other personal information stolen. The amount of delay from the breach also adds a lot of complexity in discovering exactly what happened. More than likely, critical evidence is no longer present in their systems.” 

The company has a long history of data breaches, including a major one in 2013 that led to the leakage of 1.1 million customer payment cards. Credit-card skimming malware had been implanted into systems in certain stores leading to the breach. 

Neiman Marcus agreed to a settlement in 2019 worth $1.5 million with 43 states after the 2014 incident.