You have4 free articles left this month.
Register for a free account to access unlimited free content.
You have 4 free articles left this month.
Register for a free account to access unlimited free content.
Powered by MOMENTUM MEDIA
lawyers weekly logo

Powered by MOMENTUMMEDIA

Breaking news and updates daily. Subscribe to our Newsletter
Advertisement

Neiman Marcus customer data potentially sold as US shopping icon confirms data breach

Luxury shopping brand Neiman Marcus sends letters to customers confirming a data breach affecting more than 64,000 – and the data may already have been sold.

Neiman Marcus customer data potentially sold as US shopping icon confirms data breach
expand image

US designer shopping giant Neiman Marcus began contacting 64,472 of its customers this week, warning them of a data breach connected to a “database platform used by Neiman Marcus Group”.

The letter was sent to customers on 24 June, informing them that an “unauthorised third party” had gained access to the platform and gotten away with a tranche of personal data.

“Based on our investigation, the unauthorised third party obtained certain personal information stored in the database platform,” Neiman Marcus’ letter – filed with the Office of the Maine Attorney General – said.

“The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card number(s) (without gift card PINs).”

According to the filing, the date of the hack was 14 April; the breach was subsequently discovered on 24 May. The letter states that, following the breach, Neiman Marcus disabled access to “the relevant database platform”, engaged cyber security experts, and notified law enforcement.

“We take our obligation to safeguard personal information very seriously and are alerting you about this issue so you can take steps to help protect your information,” the letter said.

A day later, on 25 June, the threat actor behind a string of hacks related to data warehousing firm Snowflake, Sp1d3r, claimed to have the stolen data and was selling it on a popular hacking forum for US$150,000.

“High value rich targets! Big Spenders!” Sp1d3r said before saying that he had tried to extort a ransom from the company.

“Neiman Marcus not interest [sic] in paying to secure customer data. We give them opportunity to pay and they decline. Now we sell. Enjoy!”

Alarmingly, however, that post has since been taken down, possibly suggesting a successful sale of the data. Threat tracking platform FalconFeeds.ai had observed the post before its deletion and reported that the data contained “70 million transactions with full customer details, 50 million customer emails and IP addresses, 12 million gift card numbers with associated balances, and 6 billion rows of customer shopping records, employee data, and store information”.

Other data allegedly included the last four digits of Social Security numbers.

The threat actor made a reference to “Raped Flake” in their post, which is a custom hacking tool used to take advantage of poorly configured Snowflake servers. Neiman Marcus later confirmed that Snowflake was the “database platform” involved in the incident.

“Neiman Marcus Group (NMG) recently learned that an unauthorised party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake,” the Neiman Marcus Group told several media outlets, including BleepingComputer.

Sp1d3r has been involved in a number of high-profile data breaches concerning Snowflake’s server infrastructure, including Ticketmaster, Pure Storage, and Santander Bank.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

You need to be a member to post comments. Become a member for free today!

Comments (0)

Cyber Daily Comments
Attach images by dragging & dropping or by selecting them.
The maximum file size for uploads is MB. Only files are allowed.
 
The maximum number of 3 allowed files to upload has been reached. If you want to upload more files you have to delete one of the existing uploaded files first.
The maximum number of 3 allowed files to upload has been reached. If you want to upload more files you have to delete one of the existing uploaded files first.
Posting as

    newsletter
    cyber daily subscribe
    Be the first to hear the latest developments in the cyber industry.