Neiman Marcus is not having a good month as far as public relations are concerned.
First, according to a report on Data Breach Today, on April 14 the luxury retailer had to file a notice with the California attorney general that an incursion into its network in December 2015 had exposed more sensitive data than originally reported. Next, it also had to reveal a series of new attacks that occurred earlier this year in which names, contact information, email addresses and purchase histories of customers were compromised. Most of those attacks were repelled, the retailer stated.
These revelations follow on the heels of its disclosure in early 2014 that payment card details of 350,000 customers was siphoned away after its payment systems were hit with malware.
The attack in 2015 began around the holidays. In that incident, the retailer reported to the state that 5,200 accounts were accessed and fraudulent purchases showed up on the accounts of 70 of those identities. At the time, the retailer said email addresses and passwords were not exposed. However, its latest disclosure revealed that full payment card numbers and expiration dates were, in fact, compromised in the 2015 occurrence.
As far as the new attacks from around January 17 disclosed by the Neiman Marcus Group, it affected the websites of Neiman Marcus, Bergdorf Goodman, Last Call, CUSP, Horchow and a loyalty program called InCircle.
The company said it believed the attackers used credentials stolen in previous incursions to attempt access to its sites. Some worked apparently. The latest breach succeeded in siphoning out names, contact information, email addresses, purchase histories and the last four digits of payment card numbers, although the number of accounts affected was not disclosed.
“At present, all indications are that the InCircle and Neiman Marcus Group database of customer email addresses and passwords remains safe and that our cyber defenses repelled the majority of the attacks,” according to the company’s data breach notice.
Neiman Marcus Group issued a mandatory password reset for its account holders. As well, the company also is offering a one-year subscription to an identity theft service to those customers affected.