The Washington Post

Neiman Marcus: 1.1 million in-store customers affected by breach

FILE - JANUARY 11, 2014: It was confirmed by Neiman Marcus that customers' credit and debit card information had been compromised in a cyber-security attack January 11, 2014. CHICAGO - MARCH 05: Pedestrians walk past a Neiman Marcus store on the Magnificent Mile March 5, 2009 in Chicago, Illinois. Neiman Marcus Group Inc., which operates Neiman Marcus, recently reported a 24 percent decline in sales. (Photo by Scott Olson/Getty Images) (Scott Olson/Getty Images)

Neiman Marcus Group said Thursday that about 1.1 million customers have been affected by a three-month security breach that the retailer initially disclosed earlier this month.

So far, credit card companies have told the high-end retailer that about 2,400 cards from Neiman Marcus customers have been used in fraudulent transactions linked to the breach. The retailer has yet to see any fraudulent activity on its own Neiman Marcus cards, the company said in an online post.

This is the most detailed accounting of the incident, which occurred between July and October of 2013, the firm has released to date.

The upscale retail-store operator said online customers were not affected by the intrusion. It also said sensitive information such as social security numbers, birth dates and PIN numbers were not taken in the cyberattack.

The scope of the Neiman Marcus attack is far more limited than a similar breach at Target, where a December breach might ultimately affect more than 100 million customers. Though Neiman Marcus says it has “no knowledge” of a connection to the Target breach, the incidents are striking similar.

Karen Katz, the president and chief executive of Neiman Marcus Group, said in a statement to customers that criminals installed malicious software to collect payment information on the firm’s system for nearly three months. Despite the duration of the attack, the retailer said it was not notified of the problem until mid-December and did not confirm there had been an attack until Jan. 1 — about six months after the initial attack.

The firm is also continuing to investigate how many of its stores were affected. The Neiman Marcus Group includes Neiman Marcus, Bergdorf Goodman, Last Call, Horchow and Cusp stores.

The company is casting a wide net to notify customers about the breach. It is sending notifications to all customers for whom it has addresses or e-mail address on file and who have shopped at its stores in the past year. It is offering free credit monitoring to consumers using Experian’s ProtectMyID program, which is the same service Target is offering its users.

Related stories:

Security firm IntelCrawler says it has identified Target malware author

Neiman Marcus: ‘We deeply regret’ data breach

Follow The Post’s new tech blog, The Switch, where technology and policy connect.

Hayley Tsukayama covers consumer technology for The Washington Post.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Video curated for you.

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.