Neiman Marcus data breach: what happened and what you should do

The Neiman Marcus Group (NMG), an iconic luxury department store, has joined a growing list of retailers impacted by data breaches. While customers may believe that high-end retailers are safe, the recent Neiman Marcus data breach is a reminder that cybercriminals target all businesses. Our article will explain what happened during the breach, the information threat actors compromised, and what steps you should take to protect yourself. 

What is the Neiman Marcus data breach?

In May 2024, when the company first reported the Neiman Marcus data hack, it said that only 64,000 were affected. A later report, by HaveIBeenPwned, clarified that the breach had a much larger impact.

This isn’t the first time the luxury retailer has dealt with a security breach and exposed its customers’ personal information. In September 2021, they revealed a breach affecting approximately 4.6 million customer accounts. These recent Neiman Marcus data breaches are all part of an industry pattern where retail is one of the most targeted industries for cybercrime. 

Neiman Marcus has faced earlier cybersecurity challenges as well. In 2014, NMG confirmed a security breach involving hackers who installed point-of-sale malware in its brick-and-mortar stores. The criminals stole about 350,000 payment cards and committed fraud with at least 9,200. 

In the following year, threat actors used username and password combinations they found elsewhere to start an automated credential-stuffing campaign. They compromised roughly 5,200 customer accounts across other Neiman Marcus brands, including Bergdorf Goodman and Last Call. Brands like Neiman Marcus are more appealing to threat actors because of their wealthy clients and prestigious reputations. 

What customer data was compromised?

The retailer confirmed the 2024 security breach in an official letter to all affected customers. Early reports of the Neiman Marcus data breach were unclear and downplayed the seriousness of the event. After a further investigation, the Neiman Marcus hack was part of a larger campaign that compromised 165 companies. 

Threat actors were able to access high-value customer information, including: 

• Customer email addresses: At least 31 million Neiman Marcus customer accounts were identified, far exceeding the company’s official statement.
• Names, birthdates, home addresses, and phone numbers: These can enable bad actors to launch targeted phishing campaigns.
• Social security numbers and employee IDs: Hackers can exploit these sensitive data bits in identity theft schemes.  
• Partial credit card numbers or Neiman Marcus gift cards: The cyber attack didn’t expose the cards’ CVVs or expiration dates. Yet, bad actors can still use the information to create a complete digital profile and commit fraud. 
• 70 million customer transaction histories: Cyberattackers acquired the quantities, items, and purchase dates of customer orders, which they can use to build more detailed profiles. 

The 2024 Neiman Marcus data breach is similar to the earlier exfiltration incident, which happened in May 2020 but wasn’t disclosed until September 2021. The attack allowed threat actors access to account login information, complete payment card details, gift card information, usernames, and answers to security questions on 4.6 million customer accounts.   

How did the breach happen?

The 2024 Snowflake incident

A report by Google’s cybersecurity investigator Mandiant revealed an organized attack from April to May that was responsible for the 2024 Neiman Marcus data breach, using compromised Snowflake customer credentials. A threat actor identified as UNC5537 attacked Snowflake customer environments with login credentials they stole via infostealer malware. The attacker(s) took advantage of weak security practices: 

• Missing multi-factor authentication processes that left many customer accounts vulnerable to exposure.
• Reusable credentials that were stolen by hackers from infostealer logs on infected devices. 
• No IP allowlists in place, which would’ve restricted which devices or locations could access the systems, meaning that attackers could log in from anywhere without raising suspicion.

UNC5537 used a custom script called FrostBite to access company systems and steal data. The hacker group then posted the stolen records on dark web forums to sell. Mandiant linked several other high-profile security breaches, such as Ticketmaster, Santander Bank, and Allstate, to a threat actor called Sp1d3r who posted data for sale on a hacking forum. 

The 2020 Neiman Marcus data breach

In May 2020, hackers obtained data from certain customers’ online accounts. Neiman Marcus confirmed the breach only on September 30, 2021, raising serious concerns about its detection and response capabilities. 

A class action lawsuit filed in California alleged that Neiman Marcus’s inadequate cybersecurity was the root cause of the breach. The suit claimed the company failed to implement reasonable safeguards for customer data and worsened the impact by waiting over 16 months to notify those affected.

Did Neiman Marcus do enough to protect your data?

Many cybersecurity experts and lawsuits say no. Millions trusted Neiman Marcus with their business, but it failed to use basic cybersecurity protocols. Legal filings claim the company still used single-factor authentication to protect customer data. They chose to do this despite the option to use MFA through Snowflake. 

While Neiman Marcus claims that only 64,000 accounts were affected in the 2024 incident, investigations discovered 31 million email addresses on dark web forums. One New Jersey native named in a recent lawsuit received several alerts confirming their data was already on the dark web. 

Neiman Marcus has habitually neglected their customers’ privacy. During an infamous 2013 breach, they didn’t follow up on nearly 60,000 security alerts. In that case, the court agreed that customers had a “reasonable likelihood” of harm, which gives them the right to sue. The ruling continues to shape data breach litigations today. 

The company may have implemented password resets, temporarily disabled vulnerable parts of its website, and set up call centers, but critics argue their responses, at times, were too slow. In the 2020 breach, NMG waited more than 16 months before notifying its customers, which experts warn could increase the risk of theft and fraud. 

Neiman Marcus continued using vulnerable security measures that didn’t comply with industry standards, even when more secure options were available. In the most recent class action lawsuit, plaintiff Natalie Gianne claims that both Neiman Marcus and Snowflake failed to protect the information from a “foreseeable cyberattack.”

What should you do if your data is exposed?

If you’ve received a breach notification from Neiman Marcus, don’t panic. Instead, you should act quickly and be proactive: 

Immediately change your passwords 

Update the passwords for your Neiman Marcus accounts. Use unique passwords for each online platform and never reuse your login info. A password manager can help secure your data.  

Use two-factor authentication (2FA)

Many companies realize stricter security protocols are necessary for safer customer transactions. If available, turn on 2FA for your account. Activating this feature will provide another layer of security even if bad actors have your credentials. 

Check your financial accounts regularly

Bad actors can use your exposed data anytime. Watch your bank accounts and review debit or credit card statements for suspicious transactions. Report odd transactions to your bank or card issuer immediately. 

Be aware of phishing emails or texts

It’s common for cybercriminals to attempt phishing scams after a breach. Like other evolving cyber attacks, any Neiman Marcus scam can mimic official company notifications. Be wary of any letters asking for or wanting you to verify personal information. 

Consider canceling or replacing your cards

If you shopped at Neiman Marcus, you may request a new credit or debit card. While it won’t stop cybercriminals from using your data elsewhere, it can prevent unauthorized transactions and the stress of dealing with them. 

The next not-so-urgent but still very important step for protecting your privacy is reducing your online exposure. Read on to learn how. 

How to reduce your online exposure

Proactively controlling your digital footprint is the best chance to reduce exposure to future breaches. You can’t prevent every cyber incident, but you can make it harder for thieves to find and exploit your data. Follow these steps to better manage your online presence.

Place a credit freeze or fraud alert

A credit freeze will restrict access to your credit report, making it harder for criminals to open new accounts. A fraud alert tells creditors to take extra care when verifying your identity. You can do both for free through TransUnion, Experian, or Equifax. 

Take action even if there aren’t any red flags

Sometimes you won’t see signs of a security breach. A company may delay notifying those affected by a breach until they have more information. Either way, it’s best to double-check places like HaveIBeenPwned to see if your email address is part of any data breaches. You can also request a free report from all three credit bureaus at AnnualCreditReport.com.

Control your digital footprint

The more of your data there is online, the greater your risk of exposure. Data brokers publish your name, address, and phone number online. You can manually opt out of these sites, but it’s repetitive and time-consuming. Onerep automates this process by removing your data from over 200 data broker sites and continuously opting you out if your details reappear. 

Seek education

Beyond managing your digital footprint, you can keep your data safe by staying informed. Make safer choices by reading about best practices for privacy and common scam tactics bad actors use from authoritative sources. For a deeper dive into privacy protection, check out this helpful guide. 

Frequently Asked Questions

Is Neiman Marcus safe to shop at now?

Neiman Marcus customers may want to find an alternate retailer moving forward. NMG hired cybersecurity experts, forced password resets, and sent official notifications about the breach. Yet, the most recent Neiman Marcus data breach lawsuit suggests the company still has some work to do. 

Has Neiman Marcus been hacked before?

Yes, Neiman Marcus has experienced multiple data breaches in the last decade:

• In 2014, hackers used POS malware to expose payment card details from 350,000 customers.
• In 2015, cyber attackers breached Neiman Marcus again using stolen login info from unrelated breaches to access 5,200 accounts.
• A breach in 2020 revealed personal data from nearly 4.6 million customers. NMG delayed notifying affected individuals until 2021. 

The company is a fitting example of the importance of ongoing personal data security efforts. You can remove your personal information from the internet and opt out of people search sites.

Will I be notified if my data was leaked?

If you were directly impacted by a Neiman Marcus data breach, you should have received a letter. If not, do your own research using trustworthy sites like topclassactions.com, classaction.org, securityweek.com, and cybernews.com. Given the company’s delayed response to previous incidents, we recommend using an identity theft monitoring service for more protection. 

Conclusion

Knowing the scope of a data breach may be the difference between exposing your personal information to long-term risk and protecting your identity. In cybersecurity, knowledge is power. You gain more control when you stay educated on emerging threats, proactively check if your data is public, and then reduce this online exposure. You can do it yourself or let Onerep help. 

Your information is valuable and deserves proactive action. Start today.