Neiman Marcus is set to pay $1.6 million to end a lawsuit over a data breach that left the credit card information of hundreds of thousands of shoppers potentially exposed.
The settlement was proposed Friday to an Illinois federal court and if approved, will resolve claims by a group of shoppers allegedly affected by a 2013 “cybersecurity incident” that saw the credit card numbers of about 350,000 in-store shoppers exposed, many of which were used to make fraudulent purchases.
A group of shoppers subsequently claimed the breach was a result of negligence on the part of Neiman Marcus Group LLC and the settlement is set to cover damages alleged by any U.S. resident that used a credit or debit card at a Neiman’s, Bergdorf Goodman, Cusp or Last Call between July and October of 2013.
While members of the proposed class will have to show that their financial information was subject to the breach in order to receive up to $100 in payment, lead plaintiffs of the proposed class said even those who do not receive payment have benefitted from the litigation.
Plaintiffs pointed to “changes to defendant’s business practices designed to further strengthen its information technology security” and so have agreed to release any and all claims related to the 2013 incident if the settlement is approved.
Plaintiffs also noted that while the proposed deal was reached through mediation that began at the end of 2015, they and Neiman’s “vehemently disagree about the merits of [the] claims,” according to court documents.
Of the $1.6 million proposed settlement, about $900,000 will go to plaintiffs’ legal fees and litigation costs and the remainder will be put into a payment fund.
A representative of Neiman’s declined to comment on the settlement or changes to company practices, citing ongoing litigation.
An Illinois federal court is expected to rule on the settlement and a request that the class be certified for claim notification purposes by June.
Neiman’s went public with the breach in January 2014, and within a few months about half a dozen lawsuits had been filed, which were eventually consolidated.
At the time, the retailer said it was working to “contain the intrusion” and to notify customers whose credit card information was used to make fraudulent purchases after shopping in-store.
For More on Cybersecurity, See: