Neiman Marcus Group has notified regulatory authorities and customers of a data breach after an unauthorized third party gained access to a cloud storage and stole the personal information of over 64,000 people.
Shortly after Neiman Marcus disclosed the data breach, a threat actor named “Sp1d3r” listed the database on a dark web hacking forum for $150,000 and accused the Dallas, Texas-based luxury retailer of refusing to pay ransom “to secure customer data.”
The Neiman Marcus data breach is part of the large-scale Snowflake hacking campaign affecting hundreds of organizations.
Neiman Marcus confirms a data breach exposing PII
On May 24, Neiman Marcus learned of the April 14, 2024, data breach, which affected cloud services provider Snowflake.
“In May 2024, we learned that, between April and May 2024, an unauthorized third party gained access to a database platform used by Neiman Marcus Group,” the company said.
Neiman Marcus immediately responded by disabling access to the compromised cloud database platform and notifying law enforcement authorities. Neiman Marcus’ assessment also determined that the threat actor obtained the victim’s personal information.
“Promptly after learning of the issue, we took steps to contain it, including by disabling access to the relevant database platform,” the company said. “We also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.”
“Based on our investigation, the unauthorized third party obtained certain personal information stored in the database platform,” noted Neiman Marcus.
Details leaked in the Neiman Marcus data breach included the victim’s name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card number(s) without gift card PINs.
However, Neiman Marcus assured customers that the validity of their stolen gift cards was not compromised, seemingly because the data breach did not expose their PINs.
The threat actor also alleged that the database contains Neiman’s customers’ email addresses and partial Social Security numbers. Exposing customer emails enables attackers to craft convincing spear phishing messages to obtain more valuable personal details such as credit card numbers and account credentials.
According to a data breach notification filed with the Office of the Maine Attorney General, the Neiman security incident affected 64,472 people in various states.
The threat actor claims the stolen database contains 50 million customer emails, 70 million transactions, 12 million gift cards, and over a billion rows of customer shopping records, employee data, and store information. It also includes the personal information of “High Value Rich Targets! Big Spenders!”
So far, Neiman Marcus has shared limited details regarding the apparent Snowflake data breach, including the identity of the affected cloud service provider.
Supply chain attacks impacted numerous organizations
The Snowflake hack began on April 14 and has impacted at least 165 organizations, including Santander Bank, Anheuser-Busch, Mitsubishi, Progressive, and Ticketmaster.
Google-owned cybersecurity firm Mandiant attributed the Snowflake hacking campaign to a financially motivated APT UNC5537. Mandiant says the threat actor leveraged compromised credentials harvested via info-stealer malware and targeted accounts without multi-factor authentication (MFA), with some compromised “as far back as 2020.”
“This is another enterprise significantly impacted from the Snowflake incident where the root cause was compromised credentials from employees using cloud accounts,” said Jim Routh, Chief Trust Officer at Saviynt. “Enterprises can learn from this by ensuring IAM practices for account registration and configuration of cloud accounts is performed by the IAM team with the necessary governance for both registration and on-going operational support.”
Comparing the Snowflake hack to the SolarWinds supply chain attacks, James McQuiggan, security awareness advocate at KnowBe4, said third-party vendors pose a significant risk to primary organizations: “Cybercriminals continue to be successful by leveraging supply chain attacks via a data breach against a significant service provider for hundreds of organizations. As seen with SolarWinds, MoveIT Transfer, and United Healthcare, Snowflake joined the breached organizations and was unaware when it was too late.”
In 2020, Neiman Marcus suffered a similar data breach, impacting 4.6 million customers. It exposed the victims’ names, contact information, payment card numbers, expiration dates without CVVs, virtual gift card numbers without PINs, usernames, passwords, and security questions.
Similarly, the luxury goods retailer settled a class action lawsuit in 2017 following another cyber attack that impacted 350,000 individuals.
