Cyber Incident Victim: Neiman Marcus Group
Date:
May 2020
Location:
United States of America
Summary
Neiman Marcus experienced a cybersecurity breach where an unauthorized party accessed online customer accounts, compromising data for approximately 4.3 million individuals. Exposed information included account credentials, payment card details without CVV codes, security question answers, virtual gift card numbers—though most were expired or invalidated—along with shipping addresses and contact details. The intrusion was detected months after initial access, prompting forced password resets for affected accounts. Subsidiaries Bergdorf Goodman and Horchow remained unaffected. The company did not provide credit monitoring services, advising customers to monitor financial statements for unauthorized activity instead.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Neiman Marcus data breach originated in May 2020 when an unauthorized party gained access to a substantial volume of online customer account credentials. These compromised credentials were then used to extract sensitive customer information from the retailer's systems. The intrusion remained undetected for over 16 months until Neiman Marcus discovered the incident on September 9, 2021. The breach impacted approximately 4.3 million customers whose personal and financial data was exposed. Compromised information included online account usernames and passwords, credit card numbers with expiration dates, security questions and answers, virtual gift card numbers, shipping addresses, and contact details. Notably, CVV numbers were not stored in the affected systems, reducing immediate usability of stolen payment card data. Among the 3.1 million exposed virtual gift cards, over 85% were either expired or already invalidated through prior use, and no gift card PINs were accessed during the breach.
Upon discovery in September 2021, Neiman Marcus initiated forced password resets for all affected online accounts, requiring customers to establish new credentials. The company issued breach notifications to impacted individuals but did not provide complimentary credit monitoring or identity theft protection services typically offered in such incidents. Customers were advised to monitor financial statements for unauthorized transactions and report suspicious activity to their card issuers. The breach exclusively affected Neiman Marcus customers, with subsidiaries Bergdorf Goodman and Horchow remaining unaffected. The retailer's notification did not disclose whether exposed passwords were hashed, salted, or stored in plain text, leaving customers vulnerable to credential-stuffing attacks if passwords were reused elsewhere. No details regarding the initial attack vector, duration of unauthorized access, or containment measures were publicly disclosed beyond the confirmed timeline of intrusion and discovery.