A data breach affecting more than 64,000 people has been admitted by US luxury goods retailer Marcus Neiman.
The story emerged when the company filed a data breach notification at the Office of the Maine Attorney General, with the submission stating that the breach occurred on April 14 of this year and was discovered, over a month later, on May 24.
Marcus Neiman has subsequently confirmed that the breach had occurred as a consequence of the hack suffered by cloud storage company Snowflake. But the hacker who has placed the data for sale claims that the actual number is far higher.
Personal Information Affected
The data breach notification was filed on Monday, June 24, and was accompanied by a sample letter to be sent to potentially impacted Maine residents.
The letter confirms that “an unauthorized third party gained access to a database platform used by Neiman Marcus Group” and that the type of personal information affected included names, contact information, dates of birth, and gift card numbers for Neiman Marcus and its associated Bergdorf Goodman department store.
This just in! View
the top business tech deals for 2024 👨💻
It states that the company has taken steps to contain the issue, “including by disabling access to the relevant database platform,” and that all gift cards remain valid.
The total number of persons affected, the breach notice says, is 64,472.
Data for Sale
In a statement to the website BleepingComputer, a Marcus Neiman spokesperson confirmed that the hacked data had been stored in a database platform supplied by Snowflake – the cloud storage specialist that was a victim of a major hack earlier in the year.
A day after the breach notification was filed, a threat actor named Sp1d3r used a hacking forum to apparently put the data on sale for $150,000.
🚨🚨🚨Major #DataBreach 🚨🚨🚨
🇺🇸#USA: A potential data breach at Neiman Marcus, an American integrated luxury retailer with $4.5B revenue, has been detected on a hacking forum: Millions of customers allegedly affected are for sale for $150,000.
According to the post, the… pic.twitter.com/rvKzuVS1H2
— HackManac (@H4ckManac) June 25, 2024
However, the post suggests that the number of customer transactions affected could be as many as 70 million, and that the last four digits of customer SNNs had also been compromised.
What You Should Do Next
If you’ve ever bought anything from Marcus Neiman and are concerned that your data may become exposed, there are several measures you can take to protect yourself.
The abovementioned letter that the company is sending out to customers in Maine suggests that you start by ordering a free credit report (online or by phone on 1-877-322-8228) and seeing if there is any unusual activity. Any unauthorized transactions should be reported to your payment card company or bank, and you should consider placing a fraud alert on your credit file, too.
A search on website haveibeenpwned.com would also be worthwhile to see whether your email address is connected to any known data breaches. You should be alert to any odd activity on your bank records and to suspicious emails and phone calls.
If you feel quite sure that your details have been compromised, we would advise that you play things super safe and change your online passwords.
Other Recent Data Breaches
Marcus Neiman won’t be the last company to have their customer information data breached by a threat actor, and it’s certainly not the first.
A range of large, global companies have been exposed in only the last few weeks and months, the most notable recent example being Ticketmaster. A hacker group called ShinyHunters stole 1.3 terabytes-worth of date that contained information of over half a billion Ticketmaster customers.
Dropbox announced in April that it had been the victim of a data breach, while the same fate befell Roku in March.
Meanwhile, communications company AT&T tried to turn its own breach into a PR win, by offering a free security bundle and identity theft insurance to all affected users.
