Neiman Marcus Breach Exposes Data Of 4.6 Million Users

from the let's-make-sure-we-do-absolutely-nothing-about-this dept

Another day, another massive privacy breach nobody will do much about. This time it’s Neiman Marcus, which issued a statement indicating that the personal data of roughly 4.6 million U.S. consumers was exposed thanks to a previously undisclosed data breach that occurred last year. According to the company, the data exposed included login in information, credit card payment information, virtual gift card numbers, names, addresses, and the security questions attached to Neiman Marcus accounts. The company is, as they always are in the wake of such breaches, very, very sorry:

“At Neiman Marcus Group, customers are our top priority,” said Geoffroy van Raemdonck, Chief Executive Officer. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

As is par for the course for this kind of stuff, the actual breach is likely much worse than what’s first being reported here. And by the time the full scope of the breach becomes clear, the press will have largely lost interest. The company set up a website for those impacted to get more information. In this case, impacted consumers didn’t even get free credit reporting, the standard mea culpa hand out after these kinds of events (which is worthless since consumers have received free credit reporting for countless hacks and leaks over the last five to ten years).

Of course absolutely nothing will actually happen in the wake of this latest breach, and the company will face no meaningful penalty for failing to adequately secure its systems (another 1.1 million customers had gift card data leaked in a 2014 breach). In large part because we still don’t have an effective, or even basic, privacy law for the internet era because the nation’s wealthy don’t want one. And because we’ve actively underfunded, understaffed, and routinely undermined our privacy regulators, who, even when they can be bothered to step in, do little more than dole out wrist slaps.

At some point you’d think the country’s top policy leaders would get tired of this dysfunctional paradigm and start crafting basic, intelligent federal privacy solutions, but it’s apparently not going to be anytime soon. Our apathy to the impact that lax security and privacy standards have on consumers and markets isn’t an accident; it’s an active policy choice.

Filed Under: ,
Companies: nieman marcus

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Neiman Marcus Breach Exposes Data Of 4.6 Million Users”

Subscribe: RSS Leave a comment
PaulT (profile) says:

"the security questions attached to Neiman Marcus accounts."

This is the concerning thing to me. The others range in terms of impact and sensitivity but many of them are dealt with relatively easily or a matter for the company to sort out with this customers (gift card numbers can be blocked and regenerated, for example, and probably not of much use if they’ve already expired or been used).

But, security questions tend to take the form of a small number of very standard requests for which there’s only one real answer that an individual would give. So, someone with access to the Neiman data can most likely cross-reference the accounts with those exposed in other breaches, and gain access to those accounts even if those people have changed their passwords (and perhaps, depending on how good the security actually is on those other sites, if they activated 2FA).

That seems to be a hell of a thing to have been sitting on for a year before telling people what happened, and not necessarily easy for anyone to rectify.

"We will continue to take actions to enhance our system security and safeguard information"

Will you, though?

TaboToka (profile) says:

Re: Security Questions are CARP

As Bruce Schneier wrote:

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. [snip] The answer to the secret question is much easier to guess than a good password, and the information is much more public. [snip] And even worse, everybody seems to use the same series of secret questions.

Essentially, the site is using a weak password as a backup to a (hopefully) strong one. This is entirely bass-ackwards.

So what should you do?

My usual technique is to type a completely random answer — I madly slap at my keyboard for a few seconds — and then forget about it. This ensures that some attacker can’t bypass my password and try to guess the answer to my secret question….

If you have a password manager (you do, right?), then you can store the random-character answer in your manager, so it is available if you really need to use it.

Sites don’t take your security seriously, so you have to.

I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can’t possibly do it.

PaulT (profile) says:

Re: Re: Security Questions are CARP

"you can store the random-character answer in your manager, so it is available if you really need to use it"

I’ve dealt with the general public, and the reality of those people is that they don’t know what you just said. But, they will have given the name of their first pet to 20 different sites they use, and assuming they didn’t also answer a quiz on Facebook to give it away before this hack and already had an issue, they are going to have some problems.

That Anonymous Coward (profile) says:

It would be nice if we stopped pretending corporations were innocent in all of this & forced them to pay to fix the damage they caused for people.

The corporations are not the victims, they aren’t out anything.
People who had their ID’s stolen are then left to spend stupid amounts of money to prove it wasn’t them that opened that credit card & ran it up.
If we demanded rape victims had to pay for their rape kits to be processed, outside of texas where rapist have been all removed, people would/should be outraged… but when someone manages to steal your identity & run up bills the system protects the corporations from losses by demanding the innocent victim pay to prove they are innocent.
All of this data is stolen over and over and over and over & used to steal over and over and over and over…
perhaps its time to admit how this data is used is the problem & demand the industry making big bucks & sticking innocent people with big bills to clean up needs to actually take it seriously & do more to protect the public & tighten things up so its harder for someone with a SS#, your dogs name, and the 3rd grade teachers name to get a $75,000 loan.

TaboToka (profile) says:

Re: Re:

forced them to pay

Wouldn’t help much. Most big orgs budget litigation as a cost of doing business or calculate the cost of litigation vs. fixing the issue. For example, GM figured spending $8.59/car to fix their stupid gas tanks was more than the cost of settling any wrongful-death lawsuits.

Now if you were to hold certain C-level folks criminally liable, they would most certainly do something about it. Not sure if that’s possible to do in an S-Corp, though.

ECA (profile) says:

This is so bad.

That I wonder if this is just a way to sell off all their data and BLAME WHO?
Hasnt anyone create a Program to secure the DATA on these systems? And Why hasnt anyone started using them?
Microsoft Should be making Trillions supporting their Own program and server systems.

A program that creates a Pass/encryption code, and then separates the data and hides it with only 1 program able to Bring all parts together and Decode it.
WHATS the freaking Problem?
This is 1 of Hundreds of break-ins. and this is reported one, and a big one. Where are the server protections? the Admins to monitor whats happening ON THOSE SERVERS.

PaulT (profile) says:

Re: This is so bad.

"Hasnt anyone create a Program to secure the DATA on these systems?"

Why would they? If they don’t face financial penalties for this stuff, then any attempt to secure the data costs money – and they spend that on marketing, not those pesky nerds who keep telling them that their servers need protection…

ECA (profile) says:

Re: Re: This is so bad.

And one of the best server setups is free to Almost free, Linux.
Where you can design and setup any configuration you want, but you need a person WHO understands Linux and networking.
You could even run a computer that intercepts the incoming/outgoing and monitors things and TELLS/WARNS of things not Right happening. Use a simple Old Pentium to do it, CHEAP.

PaulT (profile) says:

Re: Re: Re: This is so bad.

"And one of the best server setups is free to Almost free, Linux."

Software is free, but expertise is not. Which is part of the reason why we keep seeing these things happening – the bean counters assume that since the money saved by competent security professionals does not show up on a balance sheet until something goes wrong, that the people they pay to protect them don’t deserve more money because they did a good job…

"You could even run a computer that intercepts the incoming/outgoing and monitors things and TELLS/WARNS of things not Right happening"

Yes, and if you haven’t correctly set that up, you can actually be worse off than people who didn’t bother, especially if you fooled yourself into thinking that you only need to set things up one and not constantly adjust and improve the alerting for new threats you didn’t think of in the first place.

"Use a simple Old Pentium to do it, CHEAP."

Not for an enterprise with millions of users, you don’t.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...