A long time ago*......
Back in 2013, high-end retailer Neiman Marcus was breached, resulting in a loss of data related to about 370,000 customers. Well needless to say, those 370,000-ish customers weren’t happy and they launched a class action claiming that Neiman Marcus was accountable for the breach which resulted in the fraudulent misuse of around 9,600 credit cards. The class action complaint included the claim that, “Neiman Marcus grossly failed to comply with security standards and allowed their customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the Security Breach that occurred“
Now, back in the present, approval was granted (on June 7) for a settlement of the claim for US$1.6M, along with another US$530K in legal fees (while noting that “the settlement will not under any circumstances be deemed to constitute, an admission of wrongdoing or liability by any Party“).
And then what happened?
Well just as the settlement dust was settling (yes, I wrote that :-)) on the 2013 breach, Neiman Marcus released a statement that another breach had taken place. This most recent breach has affected 4.6 million customers, about 13 times as many as were affected in the 2013 breach.
The company noted that ,”…approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid.” It’s not clear from that statement how many actually-unexpired payment cards were affected and it’s not clear what personal and identifying information was lost either, but those details will probably surface over time.
And that leads to the second, deeply entwined and worrying problem: It appears that the breach actually took place back in May of 2020, and remained undetected for the intervening 17 months!
I'm bored.... can we jump to the ending?
Alas no, because there are so many possible outcomes from the second breach, considering that it follows so closely to the class-action settlement from the first breach, and considering that this most recent breach has affected an order of magnitude more customers. It seems reasonable to speculate however that:
- The recovery costs are going to be unnecessarily expensive. Logs have been rolling over for up to 17 months now, so slabs of critical information that would help to determine the extent of the breach have probably been lost. Sure, it can be recovered (maybe) from backups and snapshots, but that will take lots of time, and lots of time generally means lots of money. And from our experience, there will be gaps in what can be recovered (especially from more than a year ago), and that means uncertainty as to what the attackers did, and whether or not they are still doing it.
- There’s money to be made! If it’s worth running a class action for the breach of 370K accounts, it’s probably worth getting one going for a breach of 4.6M. And if a settlement for the breach of 370K accounts is worth US1.6M, we can only guess what the settlement for 4.6M accounts is going to be.
- There’s money to be lost! On the other side of the coin, not only is there the risk of a class action and associated costs, there are also potential costs associated with cyber insurance cover. It is becoming increasingly clear that premiums are on the rise and from DotSec’s experience, it appears to be getting more difficult to obtain cover, especially where the prospective insured cannot demonstrate a satisfactory level of security maturity.
- And then there is Payment Card Industry (PCI) Data Security Standard (DSS) compliance. We do not know if any credit card details were lost in the most recent Neiman Marcus breach, or if any PCI DSS controls were missing or ineffective, but investigations regarding other, unrelated card breaches have resulted in significant penalties where short-comings were found.
OK, that's all!
And that, as they say, is that! This was just a quick update post, but we’ll be sure to keep an eye on how this particular breach unfolds, and we’ll update our posts again when more details come to hand.