Cybersecurity

Neiman Marcus notifying 4.6M customers of data breach

Department store Neiman Marcus announced Friday that it was in the process of notifying 4.6 million online customers that some of their data had been compromised as part of a data breach that took place last year.  

According to a statement, an “unauthorized party” successfully obtained data including names, contact information, payment card numbers and expiration dates, usernames and passwords associated with Neiman Marcus online accounts and virtual gift cards. 

The company said that 3.1 million payment and virtual gift cards were compromised as part of the breach, but 85 percent of these were expired or invalid. Information on online customers of Bergdorf Goodman and Horchow, which are part of the Neiman Marcus Group, were not affected by the breach. 

“At Neiman Marcus Group, customers are our top priority,” CEO Geoffroy van Raemdonck said in a statement Friday. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

The company noted that it was working with law enforcement and cybersecurity group Mandiant to investigate the beach, which Neiman Marcus only recently discovered but dates to May 2020.

The company has set up a webpage and dedicated call center to assist customers impacted by the breach, and is requiring all customers who have not changed their online Neiman Marcus account passwords since then to do so. 

The breach is the latest in a series of escalating cyber incidents to impact major American companies over the past year, with cybersecurity becoming an increasing priority for both government and industry. 

Major incidents have included the SolarWinds hack in December, in which Russian government-linked hackers were able to successfully breach numerous federal agencies and private sector companies, along with ransomware attacks on groups such as Colonial Pipeline, meat producer JBS USA, and IT company Kaseya. 

The breach was announced on the first day of the annual Cybersecurity Awareness Month, aimed at increasing awareness of threats in cyberspace.