Last week, luxury retailer Neiman Marcus Group (NMG) notified some customer’s attackers had gained unauthorized access to their online accounts.
According to the company, the incident dates back to on or around December 26, 2015, when intruders attempted various login and password combinations using automated attacks in an effort to access customers’ online accounts on the Neiman Marcus, Bergdorf Goodman, Last Call, CUSP and Horchow websites.
“We suspect this activity was due to large breaches at other companies (not the Neiman Marcus Group), where user login names and passwords were stolen and then used for unauthorized access to other accounts . . . where a user may use the same login name and/or password,” read the letter addressed to customers.
The attackers managed to access approximately 5,200 accounts, containing contact information, purchase history, and the last four digits of credit card numbers.
The retailer noted that sensitive information, such as Social Security numbers, dates of birth, full financial account numbers or PINs, were not visible through online accounts.
“At present, all indications are that the Neiman Marcus Group database of customer email addresses or passwords remain safe, and that our cyber defenses repelled more than 99% of the attacks,” the company said.
Hackers were able to make purchases on roughly 70 breached accounts, however, the retailer’s fraud team detected the unauthorized purchases and has since reimbursed affected customers.
Neiman Marcus is requiring impacted customers to change their account password the next time they log in.
Meanwhile, affected customers should also remain vigilant for suspicious activity on financial accounts, as well as credit reports.
In a data breach notice submitted to the California Office of the Attorney General, the company stated it has initiated a comprehensive response and investigation to understand the scope of the incident.
“It appears that our defense functioned as designed during the attack,” said the company. “Our team has taken significant steps to limit the ability of these individuals’ to access Neiman Marcus accounts.”
In January 2014, the retailer announced hackers used point-of-sale malware to steal the details of more than 1.1 million customer payment cards. After an investigation, the company said only about 350,000 cards had been affected.