Neiman Marcus breach. Again.

A long time ago*......

Waaay back, in 2013, high-end retailer Neiman Marcus was breached, resulting in a loss of data related to about 370,000 customers. Well needless to say, those 370,000-ish customers weren’t happy and they launched a class action claiming that Neiman Marcus was accountable for the breach which resulted in the fraudulent misuse of around 9,600 credit cards. The class action complaint included the claim that, “Neiman Marcus grossly failed to comply with security standards and allowed their customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the Security Breach that occurred”

Now, back in the present, approval was granted (on June 7) for a settlement of the claim for US$1.6M, along with another US$530K in legal fees (while noting that “the settlement will not under any circumstances be deemed to constitute, an admission of wrongdoing or liability by any Party”).

And then what happened?

Well just as the settlement dust was settling (yes, I wrote that :-)) on the 2013 breach, Neiman Marcus released a statement that another breach had taken place. This most recent breach has affected 4.6 million customers, about 13 times as many as were affected in the 2013 breach.

The company noted that ,”…approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid.” It’s not clear from that statement how many actually-unexpired payment cards were affected and it’s not clear what personal and identifying information was lost either, but those details will probably surface over time.

And that leads to the second, deeply entwined and worrying problem: It appears that the breach actually took place back in May of 2020, and remained undetected for the intervening 17 months!

I'm bored.... can we jump to the ending?

Alas no, because there are so many possible outcomes from the second breach, considering that it follows so closely to the class-action settlement from the first breach, and considering that this most recent breach has affected an order of magnitude more customers. It seems reasonable to speculate however that:

The recovery costs are going to be unnecessarily expensive. Logs have been rolling over for up to 17 months now, so slabs of critical information that would help to determine the extent of the breach have probably been lost. Sure, it can be recovered (maybe) from backups and snapshots, but that will take lots of time, and lots of time generally means lots of money. And from our experience, there will be gaps in what can be recovered (especially from more than a year ago), and that means uncertainty as to what the attackers did, and whether or not they are still doing it.
There’s money to be made! If it’s worth running a class action for the breach of 370K accounts, it’s probably worth getting one going for a breach of 4.6M. And if a settlement for the breach of 370K accounts is worth US1.6M, we can only guess what the settlement for 4.6M accounts is going to be.
There’s money to be lost! On the other side of the coin, not only is there the risk of a class action and associated costs, there are also potential costs associated with cyber insurance cover. It is becoming increasingly clear that premiums are on the rise and from DotSec’s experience, it appears to be getting more difficult to obtain cover, especially where the prospective insured cannot demonstrate a satisfactory level of security maturity.
And then there is Payment Card Industry (PCI) Data Security Standard (DSS) compliance. We do not know if any credit card details were lost in the most recent Neiman Marcus breach, or if any PCI DSS controls were missing or ineffective, but investigations regarding other, unrelated card breaches have resulted in significant penalties where short-comings were found.

OK, that's all!

And that, as they say, is that! This was just a quick update post, but we’ll be sure to keep an eye on how this particular breach unfolds, and we’ll update our posts again when more details come to hand.

In the mean time of course, feel free to give us a call. Cheers!

*A long time ago... no, not Star Wars... It was Lester Corncrake! 
(You'll need sound turned up :-))

Premier australian cyber security specialists

ISO 27001 consulting

Practical and experienced Australian ISO 27001 and ISMS consulting services. We will help you to establish, implement and maintain an effective information security management system (ISMS).

Penetration tests

DotSec’s penetration tests are conducted by experienced, Australian testers who understand real-world attacks and secure-system development. Clear, actionable recommendations, every time.

PCI DSS

dotSec stands out among other PCI DSS companies in Australia: We are not only a PCI QSA company, we are a PCI DSS-compliant service provider so we have first-hand compliance experience.

WAF and app-sec

Web Application Firewalls (WAFs) are critical for protecting web applications and services, by inspecting and filtering out malicious requests before they reach your web servers

Identity management

Multi-Factor Authentication (MFA) and Single Sign-On (SSO) reduce password risks, simplify access, letting verified and authorised users reach sensitive systems, services and apps.

Vulnerability management

dotSec provides comprehensive vulnerability management services. As part of this service, we analyse findings in the context of your specific environment, priorities and threat landscape.

Phishing and soc eng

We don’t just test whether users will click a suspicious link — we also run exercises, simulating phishing attacks that are capable of bypassing multi-factor authentication (MFA) protections.

Penetration testing

DotSec’s penetration testing services help you identify and reduce technical security risks across your applications, cloud services and internal networks. Clear, actionable recommendations, every time!

Managed SOC/SIEM

dotSec has provided Australian managed SOC, SIEM and EDR services for 15 years. PCI DSS-compliant and ISO 27001-certified. Advanced log analytics, threat detection and expert investigation services.

Secure configuration

We provide prioritised, practical guidance on how to implement secure configurations properly. Choose from automated deployment via Intune for Windows, Ansible for Linux or Cloud Formation for AWS.

Secure cloud hosting

Secure web hosting is fundamental to protecting online assets and customer data. We have over a decade of AWS experience providing highly secure, scalable, and reliable cloud infrastructure.

Essential eight

DotSec helps organisations to benefit from the ACSC Essential Eight by assessing maturity levels, applying practical security controls, assessing compliance, and improving resilience against attacks.

CIS 18 Critical Controls

Evaluation against the CIS 18 Controls establishes a clear baseline for stakeholders, supporting evidence-based planning, budgeting, maturity-improvement and compliance decisions

Advisory services

We have over 25 years of cyber security experience, providing practical risk-based guidance, advisory and CISO services to a wide range of public and private organisations across Australia.