[BreachExchange] Neiman Marcus Continued Struggling with Data Breaches, Documents Show

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jul 20 20:21:23 EDT 2017


https://www.dmagazine.com/business-economy/2017/07/neiman-marcus-continued-
struggling-with-data-breaches-documents-show/

Neiman Marcus may have recently settled a $1.6 million class-action lawsuit
regarding its 2013 data breach, but its cybersecurity issues didn’t end
there. The Dallas-based retailer has had at least two other data breaches
since 2013, with the most recent hitting earlier this year.

On or about Dec. 26, 2015, hackers obtained customers’ full payment card
numbers and expiration dates, as well as customers’ names, contact
information, email addresses, and purchase history, according to documents
filed with the California Attorney General. Then, on or about Jan. 17 of
this year, hackers accessed customers’ names, basic contact information,
email addresses, purchases history, “but only the last four digits of
payment information,” the documents say.

Neiman Marcus has yet to respond to requests for more information about the
breaches, including how many people were affected.

In both cases, however, the company sent notifications of the breaches to
affected customers, which the retailer identified as InCircle loyalty
members or online shoppers. The notification says that, in both instances,
“unauthorized individuals began attempting to access our InCircle, Neiman
Marcus, Bergdorf Goodman, Last Call, CUSP, and Horchow websites
(collectively the ‘NMG websites’) by trying various login and password
combinations using automated attacks.”

The notification goes on to say that hackers also were able to access
InCircle gift card numbers as well as their “Circle Level,” which
determines customers’ benefits based on how much they spend at the
retailer. Neiman’s stated that “all indications” show that the InCircle and
Neiman Marcus Group’s database of email addresses and passwords are safe,
and that the company’s “cyber defenses repelled the majority of the
attacks.”

In response to the two attacks, Neiman Marcus offered affected customers
one year of MyIDCare, a theft protection service offered through ID
Experts. The service includes credit and cyberscan monitoring, a $1 million
insurance reimbursement policy, educational materials, and fully managed ID
theft recovery services. The deadline to apply for the services was July
12. The retailer has also required a password reset for all affected online
accounts.

The data breaches followed the 2013 attack, which exposed the credit card
data of thousands of customers. A class action lawsuit claimed that 350,000
customers were affected by that breach. Neiman Marcus said the number was
only 9,200. In March of this year, Neiman Marcus agreed to pay $1.6
million. As part of the settlement, it also agreed to appoint a chief
security information officer, create an information security unit, and to
increase the frequency and depth of cybersecurity reporting to executives
and its board, among other new security measures.

Neiman Marcus did not have a CISO during the time of the 2013 attack. But
about 10 months after the breach, it hired Sarah Hendrickson, who served in
that role until exiting in June this year. The company did not cite reasons
for her departure but did say it was working to replace her.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170720/87db5d17/attachment.html>


More information about the BreachExchange mailing list