Neiman Marcus Group said Thursday that about 1.1 million customers have been affected by a three-month security breach that the retailer initially disclosed earlier this month.
So far, credit card companies have told the high-end retailer that about 2,400 cards from Neiman Marcus customers have been used in fraudulent transactions linked to the breach. The retailer has yet to see any fraudulent activity on its own Neiman Marcus cards, the company said in an online post.
This is the most detailed accounting of the incident, which occurred between July and October of 2013, the firm has released to date.
The upscale retail-store operator said online customers were not affected by the intrusion. It also said sensitive information such as social security numbers, birth dates and PIN numbers were not taken in the cyberattack.
The scope of the Neiman Marcus attack is far more limited than a similar breach at Target, where a December breach might ultimately affect more than 100 million customers. Though Neiman Marcus says it has “no knowledge” of a connection to the Target breach, the incidents are striking similar.
Karen Katz, the president and chief executive of Neiman Marcus Group, said in a statement to customers that criminals installed malicious software to collect payment information on the firm’s system for nearly three months. Despite the duration of the attack, the retailer said it was not notified of the problem until mid-December and did not confirm there had been an attack until Jan. 1 — about six months after the initial attack.
The firm is also continuing to investigate how many of its stores were affected. The Neiman Marcus Group includes Neiman Marcus, Bergdorf Goodman, Last Call, Horchow and Cusp stores.
The company is casting a wide net to notify customers about the breach. It is sending notifications to all customers for whom it has addresses or e-mail address on file and who have shopped at its stores in the past year. It is offering free credit monitoring to consumers using Experian’s ProtectMyID program, which is the same service Target is offering its users.
Follow The Post’s new tech blog, The Switch, where technology and policy connect.