Department store giant Neiman Marcus has announced a data breach involving nearly 5 million customer accounts that included payment card numbers and expiration dates alongside other personal information.
In a statement, the company said the breach occurred more than a year ago, in May 2020. The company told ZDNet that they only discovered the breach in September 2021.
Neiman Marcus said it hired Mandiant to investigate the data breach and has notified law enforcement about what happened. The company said it is still trying to "determine the nature and scope" of the breach.
"The personal information for affected Neiman Marcus customers varied and may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts," the company explained.
"Approximately 4.6 million Neiman Marcus online customers are being notified of this issue. Approximately 3.1 million payment and virtual gift cards were affected for these customers, more than 85% of which are expired or invalid. No active Neiman Marcus-branded credit cards were impacted."
The company added that they do not believe any Bergdorf Goodman or Horchow online customer accounts were included in the breach.
Neiman Marcus said it had created a call center to answer questions about the issue at (866) 571-9725, as well as a website for potential victims.
Quentin Rhoads, a director at cybersecurity firm CRITICALSTART, theorized that the company waited so long to notify affected customers because of the bankruptcy filing.
"From a security perspective, it is very dangerous for a company to go this long without detecting and responding to a breach. More damage could have been done that has yet been discovered. It is also not uncommon for attackers to sell their access to a breached company as part of their revenue-generating plan, which means there might be a chance attackers still have access," Rhoads said.
"Even though most of the credit cards and gift cards stolen don't contain data like pins and CVVs, and are probably expired, the theft of usernames and passwords is concerning. This data more than likely would be sold to other attackers who can use this for crimes such as identity theft in conjunction with the other personal information stolen. The amount of delay from the breach also adds a lot of complexity in discovering exactly what happened. More than likely, critical evidence is no longer present in their systems."
The company has a long history of data breaches, including a major one in 2013 that led to the leakage of 1.1 million customer payment cards. Credit-card skimming malware had been implanted into systems in certain stores leading to the breach.