Marcus Neiman, a US retail company has discovered that a data hack obtained certain personal information from the accounts of consumers who shop at Neiman Marcus online. A data breach involving payment card and virtual gift card information has prompted the company to notify 4.6 million consumers.
In May 2020, an unauthorized person accessed information linked with consumers’ online accounts, according to the business, which operates 37 premium department shops in 17 states.
It stated it found out about the event in September, after 17 months.
In a press release issued yesterday(September 30) the company stated that the stolen data “may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts.”
3.1 million payment and virtual gift cards were affected, according to Neiman Marcus, although more than 85 percent of them were “expired or invalid.”
It went on to say that “no active Neiman Marcus-branded credit cards were compromised,” and that no evidence of consumers of Neiman Marcus subsidiaries Bergdorf Goodman and Horchow having been affected.
The incident has been reported to police enforcement, according to Neiman Marcus, who added that an “investigation is continuing and the business is working rapidly to understand the extent and breadth of the problem.”
Neiman Marcus stated it enacted “an online account password reset for affected customers who had not changed their password since May 2020” after learning about the problem.
To assist clients in preventing fraud and identity theft, a specialized contact centre and website have been established.
“At Neiman Marcus Group, customers are our top priority,” said Geoffroy van Raemdonck, the company’s CEO.
“We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”
Martin Jartelius, CSO of cybersecurity firm Outpost24, commented: “According to the information, not only have credit card numbers leaked which means that the company has been storing credit card numbers in a format that is readable, but also that 85% of those would have expired meaning that the organization had little to no justification to keep processing and storing those cards.
“While the breach notification is good, the lack of hygiene, in this case, is considerable.”