Neiman Marcus has alerted customers that a data breach last year may have exposed the payment records of 4.6 million customers.
The personal information for affected customers may have included names and contact information; payment card numbers and expiration dates but without CVV numbers; Neiman Marcus virtual gift card numbers without PINs; and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts.
The company said it has alerted law enforcement and retained the services of a cybersecurity firm to investigate. The preliminary investigation shows that around 3.1 million payment and virtual gift cards were exposed, but the vast majority -- more than 85% -- were expired.
The company said no active Neiman Marcus-branded credit cards were exposed and that there is no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.
"At Neiman Marcus Group (NMG), customers are our top priority," said Geoffroy van Raemdonck, the company’s CEO. "We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information."
Incident occurred 17 months ago
The breach is believed to have occurred in May 2020, but the company only learned of it in recent days. Once it was aware that payment records had been exposed, the company said it began steps to protect customers.
The company required an online account password reset for affected customers who had not changed their password since May 2020. It also set up a call center to answer customers’ questions. The number is (866) 571-9725, and it is open Monday through Friday, 8 a.m. to 10 p.m. CST; Saturday and Sunday, 10 a.m. to 7 p.m. CST. Callers should be prepared to provide engagement number B019206. There’s also a webpage that provides additional information.
Cyberattacks on corporate entities have become more common in the last five years. Corporations are major targets for hackers. Earlier this year, a ransomware attack shut down a major gasoline pipeline.