Neiman Marcus customer data potentially sold as US shopping icon confirms data breach

Neiman Marcus customer data potentially sold as US shopping icon confirms data breach

Luxury shopping brand sends letters to customers confirming data breach affecting more than 64,000 – and the data may already have been sold.

US designer shopping giant Neiman Marcus began contacting 64,472 of its customers this week warning them of a data breach connected to a “database platform used by Neiman Marcus Group”.

The letter was sent to customers on June 24, informing that an “unauthorised third party” had gained access to the platform and gotten away with a tranche of personal data.

“Based on our investigation, the unauthorised third party obtained certain personal information stored in the database platform,” Neiman Marcus’ letter – filed with the Office of the Maine Attorney General – said.

“The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card number(s) (without gift card PINs).”

According to the filing, the date of the hack was April 14; the breach was subsequently discovered on May 24. The letter states that, following the breach, Neiman Marcus disabled access to “the relevant database platform,” engaged cyber security experts, and notified law enforcement.

“We take our obligation to safeguard personal information very seriously and are alerting you about this issue so you can take steps to help protect your information,” the letter said.

A day later on June 25 the threat actor behind a string of hacks related to data warehousing firm Snowflake, Sp1d3r, claimed to have the stolen data and was selling it on a popular hacking forum for US$150,000.

“High value rich targets! Big Spenders!” Sp1d3r said. Before saying that he had tried to extort a ransom from the company.

“Neiman Marcus not interest [sic] in paying to secure customer data. We give them opportunity to pay and they decline. Now we sell. Enjoy!”

Alarmingly, however, that post has since been taken down, possibly suggesting a successful sale of the data. Threat tracking platform FalconFeeds.ai had observed the post before its deletion, and reported that the data contained “70 million transactions with full customer details, 50 million customer emails and IP addresses, 12 million gift card numbers with associated balances, and 6 billion rows of customer shopping records, employee data, and store information”.

Other data allegedly included the last four digits of social security numbers.

The threat actor made a reference to “Raped Flake” in their post, which is a custom hacking tool used to take advantage of poorly configured Snowflake servers. Neiman Marcus later confirmed that Snowflake was the “database platform” involved in the incident.

“Neiman Marcus Group (NMG) recently learned that an unauthorised party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake,” the Neiman Marcus Group told several media outlets, including Bleeping Computer.

Sp1d3r has been involved in a number of high profile data breaches concerning Snowflake’s server infrastructure, including Ticketmaster, Pure Storage, and Santander Bank.