Back in 2013, high-end retailer Neiman Marcus was breached, resulting in a loss of data related to about 370,000 customers. Well needless to say, those 370,000-ish customers weren’t happy and they launched a class action claiming that Neiman Marcus was accountable for the breach which resulted in the fraudulent misuse of around 9,600 credit cards. The class action complaint included the claim that, “Neiman Marcus grossly failed to comply with security standards and allowed their customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the Security Breach that occurred“
Now, back in the present, approval was granted (on June 7) for a settlement of the claim for US$1.6M, along with another US$530K in legal fees (while noting that “the settlement will not under any circumstances be deemed to constitute, an admission of wrongdoing or liability by any Party“).
Well just as the settlement dust was settling (yes, I wrote that :-)) on the 2013 breach, Neiman Marcus released a statement that another breach had taken place. This most recent breach has affected 4.6 million customers, about 13 times as many as were affected in the 2013 breach.
The company noted that ,”…approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid.” It’s not clear from that statement how many actually-unexpired payment cards were affected and it’s not clear what personal and identifying information was lost either, but those details will probably surface over time.
And that leads to the second, deeply entwined and worrying problem: It appears that the breach actually took place back in May of 2020, and remained undetected for the intervening 17 months!
Alas no, because there are so many possible outcomes from the second breach, considering that it follows so closely to the class-action settlement from the first breach, and considering that this most recent breach has affected an order of magnitude more customers. It seems reasonable to speculate however that:
And that, as they say, is that! This was just a quick update post, but we’ll be sure to keep an eye on how this particular breach unfolds, and we’ll update our posts again when more details come to hand.