While data breaches are not uncommon in retail and other industries, Neiman’s disclosure late Thursday raises questions whether the company has not sufficiently invested in technology infrastructure and systems that would help prevent cyberattacks.
“At Neiman Marcus Group, customers are our top priority,” Geoffroy van Raemdonck, chief executive officer, said in a statement. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”
Neiman’s said it had notified about 4.6 million online customers that their personal information may have been accessed in the hack and that it notified law enforcement of the issue, which occurred in May 2020, and is working closely with Mandiant, a cybersecurity expert, to investigate.
Neiman’s investigation is ongoing and the company is working “quickly” to determine the nature and scope of the matter.
The Dallas-based luxury retailer also said the personal information for affected Neiman Marcus customers varied and may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs), and usernames, passwords and security questions and answers associated with Neiman Marcus online accounts.
Of the 4.6 million Neiman Marcus online customers being notified, about 3.1 million payment and virtual gift cards were affected, more than 85 percent of which are expired or invalid, the company said
No active Neiman Marcus-branded credit cards were impacted, the company added. As of Friday, the retailer has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected. Bergdorf’s and Horchow are divisions of Neiman Marcus Group.
It’s not the first time Neiman’s has suffered a data breach. In January 2014, the company disclosed it was hacked in 2013, exposing credit card data. At that time, about 370,000 Neiman Marcus credit cards were accessed by an unknown party. Neiman’s was required by the Texas attorney general to implement new procedures to protect customers’ personal information in the wake of concerns that the retailer didn’t act fast enough to inform customers of that breach. Neiman’s ended up paying $1.6 million to end a lawsuit over the data breach that left the credit card information of hundreds of thousands of shoppers potentially exposed.
Reacting to this latest breach, one retail source questioned whether Neiman’s has invested enough in technology and systems to create a secure environment for information and transactions. “Neiman Marcus Group has an underfunded IT infrastructure including systems that safeguard customer information and data as well as order management with vendors. If you play in the world of online customers and credit card information, you have to spend enough on the IT infrastructure,” said the source. “Many retailers have spent huge amounts of money on upgrades, millions and millions.”
The source also suggested that the latest breach occurred during Neiman’s bankruptcy last year, caused by the company’s debt load and the pandemic. The company filed for Chapter 11 bankruptcy on May 7, 2020 and emerged from the proceedings in September 2020, with new owners and vastly reduced debt.
A company spokesperson told WWD on Friday that NMG learned of the breach last month. No date was specified. “Promptly after learning of the issue, the company engaged a leading cybersecurity expert and notified law enforcement,” the spokesperson said. “To protect our customers, the company required an online account password reset for affected customers who had not changed their password since May 2020. The company will continue to take actions to enhance our system security and safeguard information.”
The company has set up a call center at 866-571-9725 to help customers. Callers should be prepared to provide engagement number B019206. The company also has set up a Neiman Marcus webpage with additional information.
The company indicated in its statement that investments in data and technology “allow us to scale a personalized luxury experience.”
“Consumers are not empowered or equipped to protect themselves independently,” Yavor added. “While consumers can, and should, practice good security hygiene including using strong and unique passwords, keeping their devices and browsers updated, and being on guard for social engineering attacks, service providers that store or require the use of PII have the ultimate responsibility for protecting consumers from harm. In the U.S., for example, consumer protection laws provide significant protection in the event of stolen credit cards. The same protections do not exist for debit cards, though. Additionally, companies that rely on PII for authentication and identity verification to provide services or make high-risk changes, such as changing SIM cards with a cellular provider, need to be proactive in defending consumers against fraudulent use of exposed PII.”