[BreachExchange] Neiman Marcus Pays $1.5M For 2013 Data Breach

Destry Winant destry at riskbasedsecurity.com
Wed Jan 9 08:54:38 EST 2019 

https://patch.com/maryland/annapolis/neiman-marcus-pays-1-5m-2013-data-breach

BALTIMORE, MD —Maryland, the District of Columbia and 40 other states
have settled with luxury retailer Neiman Marcus for a 2013 data breach
that exposed payment cards for thounds of customers. The chain must
pay $1.5 million and adopt measures to prevent hacks.

Maryland Attorney General Brian E. Frosh said in a news release that
under the terms of the settlement, Neiman Marcus must pay to resolve
the multistate investigation into the breach of customer payment card
data at 77 stores. The breach took place over the course of several
months and compromised the names and payment card data collected at
Neiman Marcus retail stores across the country. Investigators say
about 370,000 payment cards were compromised, including 8,323
associated with Maryland consumers. At least 9,200 of the payment
cards compromised in the breach were used fraudulently.

"Businesses that collect and hold consumers' payment card data have a
responsibility to make sure that data is protected from hackers,"
Frosh said in a statement. "This settlement requires Neiman Marcus to
bolster its protection of consumers' information to prevent a breach
like this from reoccurring."

Along with the $1.5 million settlement, Neiman Marcus must try to
prevent breaches by:
Complying with Payment Card Industry Data Security Standard requirements

- Maintaining a system to log and monitor its network activity
- Maintaining agreements with payment card industry
forensicinvestigators, operating separately, to allow for speedy
investigation and remediation of any concerns
- Updating software used to maintain and safeguard personal information;
- Implementing industry-accepted payment security technologies
- Using technologies like encryption and tokenization to obscure
payment card data.

The settlement also requires Neiman Marcus to obtain an information
security assessment and report from a third-party, and detail any
steps the company may have taken or plans to take as a result of the
report.

More information about the BreachExchange mailing list