Lessons from Neiman Marcus Third-Party Data Breach

According to an article by CPO Magazine, personal information belonging to more than 64,000 customers of Texas luxury retailer Neiman Marcus was stolen in the third-party data breach of Snowflake, a cloud services provider.

A statement from Neiman Marcus says, “In May 2024, we learned that, between April and May 2024, an unauthorized third party gained access to a database platform used by Neiman Marcus Group. Promptly after learning of the issue, we took steps to contain it, including by disabling access to the relevant database platform. We also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.”

Alicia Hope, reporting in CPO Magazine, says that shortly after Neiman Marcus disclosed the third-party data breach, the information was offered for sale on the dark web, along with the hacker’s accusation that the company had refused to pay a ransom “to secure customer data.”

The data includes victims’ names, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card number(s), but not gift card PINs. The hacker claims that the data includes customers’ email addresses and partial Social Security numbers.

The company told affected customers that the validity of their stolen gift cards was not compromised, probably because their PINs weren’t stolen.

Neiman Marcus has been victimized at least twice before. In 2017 it settled a class action lawsuit after a cyber attack that impacted 350,000 individuals. In 2020 it suffered a data breach that impacted millions of customers.

The article quotes a cybersecurity professional who said that companies can learn from the most recent incident by ensuring that identity and access management practices for account registration and configuration of cloud accounts are performed with the necessary governance for both registration and ongoing operational support.