In a statement, the company said the data breach involved customers’ names, contact information, payment card numbers and expiration dates, virtual gift card numbers, as well as usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts, according to the company announcement. The CVV numbers of exposed payment cards were not accessed, nor were the PINs of Neiman Marcus virtual gift cards. Of the affected payment and virtual gift cards, more than 85 percent are expired or invalid.
No active Neiman Marcus-branded credit cards were impacted. Further, the company says it does not believe that its affiliated Bergdorf Goodman or Horchow online customer accounts were affected.
Neiman Marcus is requiring customers to reset their online account passwords if they have not done so since May 2020. The company has also set up a breach-specific webpage and a call center for those concerned.
The company says it has notified law enforcement of the breach, and is working with Mandiant, a cybersecurity company, to investigate. It’s still unclear, however, why the data breach took 16 months between when it occurred and when the company began notifying customers.
The retailer has a poor record on cybersecurity, with additional data breaches occurring in 2013 and 2015. Following the 2013 breach, Neiman Marcus faced a class action lawsuit as well as lawsuits from 43 states. It settled the legal actions in 2019 when it agreed to pay $1.5 million to settle the cases.