Sign up for The Paypers newsletter Follow The Paypers on LinkedIn Follow The Paypers on Twitter Follow The Paypers on Facebook
The Paypers, paypers, Insight in payments, News, Reports, Events
Digital Identity, Security & Online Fraud

Neiman Marcus suffers another consumer data breach

Friday 5 February 2016 | 10:55 AM CET

Retailer Neiman Marcus has suffered a data breach of its customer accounts.

On January 29 2016, Neiman Marcus notified potentially affected online customers and the California attorney general of a breach that it says compromised an estimated 5,200 accounts.

On or about Dec. 26, 2015, hackers attempted to access online accounts by trying various login and password combinations using "automated attacks," Neiman Marcus reports. Online accounts impacted by the breach are connected to several Neiman Marcus Group brands, including its Bergdorf Goodman, Last Call, CUSP, Horchow and Neiman Marcus stores.

Although Neiman Marcus says its fraud team detected unauthorized purchases made from approximately 70 accounts and credited the affected customers for those purchases, the attackers were able to access some customer information.

Neiman Marcus is advising affected customers to change their online passwords and warning them to be on the lookout for phishing attacks.

This breach of online accounts apparently is not related to the payment card breach Neiman Marcus suffered in 2014, which affected an estimated 350,000 payment cards.

Breaches along the lines of this most recent Neiman Marcus incident are becoming more common because criminals can gather information about consumers on social media and then pair it with PII - as well as usernames and passwords - they have compromised in data breaches or purchased in underground forums. Because many online users use the same username and password for multiple accounts, once those credentials are compromised, hackers can use them to access accounts on various websites.

To help mitigate this threat, organizations need to carefully consider whether they need to store any PII, and if so, make sure it is encrypted.

More: Link