Data Breach Highlight: Neiman Marcus Takes Another Hit

February 09, 2016 By Risk Based Security


Neiman Marcus

How many impacted:

Approximately 5,200


Occurred: December 26, 2015

Reported: January 29, 2016

What Happened:

Just as Neiman Marcus was heading back to court to fight a class action lawsuit arising out of the 2013 breach of customer payment card data, certain “unauthorized individuals” launched an automated attack attempting to access customers’ online accounts at various Neiman Marcus websites. According to their breach notification letter released on January 29th, leaked login credentials were gathered from other, unrelated breaches and hurled en masse at Neiman Marcus websites in the hopes those same credentials would access customer accounts. Not surprisingly, based on the findings from the 2015 DataBreach QuickView the attack worked and approximately 5,200 accounts were accessed with roughly 70 of those accounts used to make unauthorized purchases from the high-end retailer.

Why It Matters:

Everyone – bad guys included – understand that it’s just too hard for most folks to create unique user ID’s for each and every website, network or system that requires login credentials. Usernames, passwords and email addresses are the most frequently compromised data types and for good reason. As the latest Neiman Marcus incident shows, “unauthorized individuals” are actively gathering this data from poorly protected targets and using it quite effectively to extract something of value from an unrelated party. In this case, it was a virtual five-finger discount on luxury goods that can be resold to anyone willing to look the other way on the origins of the merchandise.

This incident is important for another reason. Neiman Marcus was not compromised per se, yet they certainly are opening up their wallets and paying a price for the poor security practices of others. Thanks to data breaches at entirely unrelated organizations, Neiman Marcus is now contending with additional expenses from merchandise theft, reimbursing customers for fraudulent charges, resetting customer accounts and walking through the breach notification process for the second time in 2 years.

Filed Under: Data Breaches, News, Data Breach Highlight

Subscribe to Email Updates