Neiman Marcus discloses data breach impacting 4.6 million customers

Luxury department store chain Neiman Marcus has disclosed a data breach on Thursday that has exposed the personal information of more than 4.6 million of its customers.

The Dallas-based company, which owns three fashion brands and operates 37 stores across major US cities, disclosed the incident in a message posted on its corporate website.

According to the company, the security breach took place last year, in May 2020, and the incident only recently came to light and is still being investigated with the help of law enforcement.

The company said that only customers of its Neiman Marcus online shop were impacted. The intrusion did not reach its Bergdorf Goodman or Horchow online shops.

Data stolen by the hacker varied from customer to customer, but the company said it included fields such as:

  • names
  • contact information
  • payment card numbers (without CVV numbers)
  • card expiration dates
  • virtual gift card numbers (without PINs)
  • online account usernames
  • online account passwords
  • online account recovery questions & answers

"Approximately 4.6 million Neiman Marcus online customers are being notified of this issue," the company said.

"For these customers, approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid," it added.

Neiman Marcus has also set up a special website to provide additional details and guidance for affected customers.

This is the company's second major data breach after hackers stole payment card details for 1.1 million customers back in 2013. In 2019, the company was fined $1.5 million for that incident.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.