Neiman Marcus Group (NMG) reported that someone gained unauthorized access to online customer accounts on the Neiman Marcus, Bergdorf Goodman, Last Call, and CUSP websites.
How many victims? Approximately 5,200
What type of information? Usernames, passwords, names, mailing addresses, phone numbers, last four digits of payment cards, and purchase histories.
What happened? On or around Dec. 26, 2015, an unauthorized individual gained access to approximately 5,200 online accounts by using automated attacks to attempt various login and password combinations. The threat actor was able to make purchases on approximately 70 of these accounts.
What was the response? Lindy Rawlinson, senior vice president of ecommerce, said in a letter to the customers that the company's fraud team “has detected these unauthorized purchases, and Neiman Marcus has credited the affected customers for the full amount of the unauthorized purchase.” NMG has taken steps to limit the ability of the threat actors to access customer accounts. The company has also initiated a comprehensive response and investigation to understand the scope of the incident. Anyone affected by the breach should change their passwords on all NMG websites and any other site that uses the same username password combination, the company said in the notice.
Details? The firm suspects the attacker obtained the login credentials from large breaches at other companies where login names and passwords were stolen in order to gain unauthorized access to other accounts where victims might use the same credentials. Rawlinson said, customers will be required to reset their passwords on all NMG websites the next time they log into their accounts.
Source: Jan. 29, 2016 Notice of Breach