Dallas, US-based Neiman Marcus Group is known as the ‘go-to’ US luxury retailer for the wealthy. However, their reputation for quality was just damaged with revelations that the company was breached by an attacker in May 2020.
Experts say the detection delay of 17 months is a huge security mistake by the retailer.
This week, Neiman Marcus acknowledged the compromise, which included personal customer information like names, contact information, payment card information (without CVV codes), gift card numbers (without PINs), usernames, passwords & even security questions associated with online Neiman Marcus accounts.
Neiman Marcus, which also controls the brands Bergdorf Goodman, Neiman Marcus Last Call & Horchow, revealed 3.1m cards were affected. Over 85% of those had already expired, the company stated.
“No active Neiman Marcus-branded credit cards were impacted,” the company’s statement explained. “At this time, the Company has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.”
Neiman Marcus is working with law enforcement & cyber-security company Mandiant to get more information about the retailer’s compromise, the company commented.
“At Neiman Marcus Group, customers are our top priority,” Geoffroy van Raemdonck, the company’s CEO, said in the announcement of the breach.
“We are working hard to support our customers & answer questions about their online accounts. We will continue to take actions to enhance our system security & safeguard information.”
Undetected NMG Breach ‘Dangerous’
Security experts say it’s too late for Neiman Marcus to protect its customers & that the delay in detection of the unauthorised access makes the situation more difficult.
“The breach occurred before Neiman Marcus filed for bankruptcy in Sept. 2020, which could have caused a delay in identification,” said Quentin Rhoads, Director of Professional Services at security firm Critical Start.
“From a security perspective it is very dangerous for a company to go this long without detecting & responding to a breach. More damage could have been done that has yet to be discovered.”
Sold off the Access
He outlined it’s likely the attackers sold off the access to NMG’s systems to someone else for later use.
“Even though most of the credit cards & gift cards stolen don’t contain data like pins & CVVs, & are probably expired, the theft of usernames & passwords is concerning,” Rhoads added.
“This data more than likely would be sold to other attackers who can use this for crimes such as identity theft in conjunction with the other personal information stolen.”
He also observed it’s going to be hard to find any firm evidence of the breach, since so much time has passed since the initial compromise.
“More than likely, critical evidence is no longer present in their systems,” Rhoads surmised.
“They could easily be unable to identify the initial point of the breach, what other areas did the attackers get access to, what the attackers did outside of stealing data.
All of these points are critical for an organisation to understand to appropriately notify affected parties, identify pathways to prevent this in the future, & to provide critical evidence to law enforcement to further criminal investigations.”
Lack of Security Is ‘Staggering’
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, was sharper about Neiman Marcus’ security mistake.
“The lack of both prevention & detection capabilities at many organisations is simply staggering,” Clements commented. “I try as much as possible to shy away from victim blaming, but in many circumstances, organisations have been grossly negligent in securing customer data.”
Clements added that in many breaches, it’s very easy for an attacker to get their hands on customer data.
‘Super Cyber Heist Plot’
“Despite the press releases that almost never fail to describe the attackers or attack methods as ‘highly sophisticated,’ the reality is that most breaches aren’t some ‘super cyber heist plot’ out of a bad movie, but rather akin so some guy walking in the front door & wheeling out a filing cabinet & no one is around to notice.”
Justin Fier, a director with Darktrace, observed Neiman Marcus’s security team should assume the attacker has been hiding in its systems since May 2020. He adds that it’s the responsibility of Neiman Marcus to adopt a more modern security strategy.
“Today, the most cyber mature retailers are relying on artificial intelligence for everything from credit fraud to supply logistics &, of course, to continually monitor their risk across globally distributed networks & complex digital infrastructures,” Fier stated.
“As retailers like Neiman Marcus adapt to a more virtual world & embrace innovations to support remote shopping (like its recently announced virtual trainer showroom) we should expect attacks on the industry to increase.
These innovations open more avenues for attackers to poke to access the private data of consumers. Businesses have a responsibility to ensure their consumers’ personal data is protected with the best defensive technology available to them.”
Reset Their Passwords
Now, Neiman Marcus is asking customers to reset their passwords & has set up a call centre for those concerned about their information being compromised.
Nick Sanna, CEO of Risk Lens, explained retailers are under both ethical & regulatory obligations to protect customer data.
“They have an obligation to keep this sensitive customer data safe & out of the hands of the wrong people, obligations that are both ethical & regulatory in nature,” Sanna concluded.
“The outcome of not doing this is exactly what Neiman Marcus Group is now facing.”