Data breach affects over 60,000 customers of luxury retailer Neiman Marcus

Dallas-based luxury retailer Neiman Marcus is one of the latest companies impacted by the security incident at Snowflake, a US-based cloud-based data storage and analytics company.

What happened?

According to a data breach letter sample filed with the Office of the Maine Attorney General, Neiman Marcus was made aware of unauthorized access to its database in May 2024. The breach impacted 64,472 people.

“Based on our investigation, the unauthorized third party obtained certain personal information stored in the database platform,” the letter reads. “Promptly after learning of the issue, we took steps to contain it, including disabling access to the relevant database platform.”

While the letter does not name the cloud database provider, Neiman Marcus told BleepingComputer that the incident was linked to its Snowflake account.

"Neiman Marcus Group (NMG) recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake," the statement reads.

What information did the hackers steal from Neiman Marcus?

The data notification letter says the type of PII compromised in the breach “varied by individual, and included names, contact info such email address and phone number, date of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers (without PINs).

Stolen data was put up for sale online for $150,000

The breach notice was issued following a for-sale ad posted by a threat actor using the handle “Sp1d3r” online, with the user even suggesting Neiman Marcus did not give in to any ransom demands.

“Neiman Marcus not interested in paying to secure customer data,” the post reads. “We give them opportunity to pay and they decline. Now we sell. Enjoy!”

The threat actor also mentioned additional stolen data, not present in the data breach filling from Neiman Marcus, specifically:

- Last 4 digits of Social Security Numbers

- Info on 70 million transactions with full customer details

- 50 million customer emails and IP addresses

- Info on 12 million gift cards (with names, gift card numbers, balances and more)

- 6 billion rows of customer shopping records, employee data and store information

Bleeping Computer noted that this post was removed from the forum alongside the data sample, which may indicate that the company has either begun negotiations with the threat actor or that the offer is being marketed on other channels.

What should impacted customers do?

• The number one piece of advice we always give data breach victims is to immediately change their passwords, even if their information wasn’t directly compromised.
• Read the data breach notice carefully and follow the retailer's advice, which includes closely monitoring account statements and credit reports.
• Stick to official channels for any updates regarding the incident or call the toll-free number 1-855-889-2743 for additional information or assistance
• Watch out for scams and phishing attempts that may leverage any exposed information. Since contact information was also exfiltrated in the attack, we recommend scrutinizing unsolicited messages, texts or phone calls, even if they appear to come from Neiman Marcus.

To assist you in this process, you can rely on Bitdefender Scamio for free. Scamio is our AI-powered scam detector that acts like your personal scam-busting assistant 24/7.

Whenever you’re unsure about a link or a proposal you receive, you can check it with Scamio on WhatsApp, Facebook Messenger or a web browser for free! Copy/paste a text or link, describe the situation, and upload the image or the QR code you want to verify. Scamio will analyze the data and tell you if anyone is trying to scam you.

You can also help all of your friends and family members stay safe by sharing Scamio with them in France, Germany, Spain, Italy, Romania, Australia and the UK.

• Report any unauthorized transaction on your gift cards. Neiman Marcus says that gift cards are still valid and can be redeemed in physical and online stores using your number and PIN. If you notice anything suspicious, immediately call Gift Card Services at 1-800-664-4465
• Monitor your digital footprint and subscribe to digital identity protection service for real-time data breach alerts, an easy way to control your online personal and regain your privacy and peace of mind

Take control of your digital identity and stay ahead of cybercrooks and data breaches with Bitdefender Digital Identity Protection.

Here’s how Bitdefender can help:

1. It lets you react immediately to data breaches and other privacy threats. Instant alerts let you take swift action to mitigate potential damage, such as changing passwords.
2. Real-time monitoring. Bitdefender Digital Identity Protection continuously scans the Internet and dark web for your personal information. You will receive alerts whenever your data is involved in a data breach or leak.
3. Peace of mind. The service immediately flags suspicious activity and actively monitors personal information for peace of mind.
4. Education and awareness. Our educational resources help you understand the evolving cyberthreat landscape and how to protect yourself and your loved ones.

Read more about our comprehensive features, here.

If you know people who shop at Neiman Marcus, give them a shout-out so they, too, can proactively protect against potential threats and data breaches.

Stay Safe, everyone!