Neiman Marcus Breach Exposes Data Of 4.6 Million Users

from the let's-make-sure-we-do-absolutely-nothing-about-this dept

Another day, another massive privacy breach nobody will do much about. This time it's Neiman Marcus, which issued a statement indicating that the personal data of roughly 4.6 million U.S. consumers was exposed thanks to a previously undisclosed data breach that occurred last year. According to the company, the data exposed included login in information, credit card payment information, virtual gift card numbers, names, addresses, and the security questions attached to Neiman Marcus accounts. The company is, as they always are in the wake of such breaches, very, very sorry:

"At Neiman Marcus Group, customers are our top priority," said Geoffroy van Raemdonck, Chief Executive Officer. "We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information."

As is par for the course for this kind of stuff, the actual breach is likely much worse than what's first being reported here. And by the time the full scope of the breach becomes clear, the press will have largely lost interest. The company set up a website for those impacted to get more information. In this case, impacted consumers didn't even get free credit reporting, the standard mea culpa hand out after these kinds of events (which is worthless since consumers have received free credit reporting for countless hacks and leaks over the last five to ten years).

Of course absolutely nothing will actually happen in the wake of this latest breach, and the company will face no meaningful penalty for failing to adequately secure its systems (another 1.1 million customers had gift card data leaked in a 2014 breach). In large part because we still don't have an effective, or even basic, privacy law for the internet era because the nation's wealthy don't want one. And because we've actively underfunded, understaffed, and routinely undermined our privacy regulators, who, even when they can be bothered to step in, do little more than dole out wrist slaps.

At some point you'd think the country's top policy leaders would get tired of this dysfunctional paradigm and start crafting basic, intelligent federal privacy solutions, but it's apparently not going to be anytime soon. Our apathy to the impact that lax security and privacy standards have on consumers and markets isn't an accident; it's an active policy choice.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, data breach
Companies: nieman marcus


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    PaulT (profile), 7 Oct 2021 @ 7:54am

    "the security questions attached to Neiman Marcus accounts."

    This is the concerning thing to me. The others range in terms of impact and sensitivity but many of them are dealt with relatively easily or a matter for the company to sort out with this customers (gift card numbers can be blocked and regenerated, for example, and probably not of much use if they've already expired or been used).

    But, security questions tend to take the form of a small number of very standard requests for which there's only one real answer that an individual would give. So, someone with access to the Neiman data can most likely cross-reference the accounts with those exposed in other breaches, and gain access to those accounts even if those people have changed their passwords (and perhaps, depending on how good the security actually is on those other sites, if they activated 2FA).

    That seems to be a hell of a thing to have been sitting on for a year before telling people what happened, and not necessarily easy for anyone to rectify.

    "We will continue to take actions to enhance our system security and safeguard information"

    Will you, though?

    reply to this | link to this | view in chronology ]

    • icon
      TaboToka (profile), 7 Oct 2021 @ 9:57am

      Security Questions are CARP

      As Bruce Schneier wrote:

      The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. [snip] The answer to the secret question is much easier to guess than a good password, and the information is much more public. [snip] And even worse, everybody seems to use the same series of secret questions.

      Essentially, the site is using a weak password as a backup to a (hopefully) strong one. This is entirely bass-ackwards.

      So what should you do?

      My usual technique is to type a completely random answer — I madly slap at my keyboard for a few seconds — and then forget about it. This ensures that some attacker can’t bypass my password and try to guess the answer to my secret question....

      If you have a password manager (you do, right?), then you can store the random-character answer in your manager, so it is available if you really need to use it.

      Sites don't take your security seriously, so you have to.

      I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can’t possibly do it.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Oct 2021 @ 12:24pm

        Re: Security Questions are CARP

        If you have a password manager (you do, right?), ...

        I do! I do indeed. I got the Westinghouse brand password manager. Admittedly I had to augment it with some Frigidaire brand magnets, but yeah.

        reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 7 Oct 2021 @ 4:55pm

        Re: Security Questions are CARP

        "you can store the random-character answer in your manager, so it is available if you really need to use it"

        I've dealt with the general public, and the reality of those people is that they don't know what you just said. But, they will have given the name of their first pet to 20 different sites they use, and assuming they didn't also answer a quiz on Facebook to give it away before this hack and already had an issue, they are going to have some problems.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Oct 2021 @ 8:29am

    New day…

    New day, new breach…
    If it’s online, it’s hackable

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 7 Oct 2021 @ 9:45am

    It would be nice if we stopped pretending corporations were innocent in all of this & forced them to pay to fix the damage they caused for people.

    The corporations are not the victims, they aren't out anything.
    People who had their ID's stolen are then left to spend stupid amounts of money to prove it wasn't them that opened that credit card & ran it up.
    If we demanded rape victims had to pay for their rape kits to be processed, outside of texas where rapist have been all removed, people would/should be outraged... but when someone manages to steal your identity & run up bills the system protects the corporations from losses by demanding the innocent victim pay to prove they are innocent.
    All of this data is stolen over and over and over and over & used to steal over and over and over and over...
    perhaps its time to admit how this data is used is the problem & demand the industry making big bucks & sticking innocent people with big bills to clean up needs to actually take it seriously & do more to protect the public & tighten things up so its harder for someone with a SS#, your dogs name, and the 3rd grade teachers name to get a $75,000 loan.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Oct 2021 @ 12:20pm

    the data exposed included login in information

    and tha-tha-that's all, folks!

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 7 Oct 2021 @ 12:31pm

    This is so bad.

    That I wonder if this is just a way to sell off all their data and BLAME WHO?
    Hasnt anyone create a Program to secure the DATA on these systems? And Why hasnt anyone started using them?
    Microsoft Should be making Trillions supporting their Own program and server systems.

    A program that creates a Pass/encryption code, and then separates the data and hides it with only 1 program able to Bring all parts together and Decode it.
    WHATS the freaking Problem?
    This is 1 of Hundreds of break-ins. and this is reported one, and a big one. Where are the server protections? the Admins to monitor whats happening ON THOSE SERVERS.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 7 Oct 2021 @ 4:57pm

      Re: This is so bad.

      "Hasnt anyone create a Program to secure the DATA on these systems?"

      Why would they? If they don't face financial penalties for this stuff, then any attempt to secure the data costs money - and they spend that on marketing, not those pesky nerds who keep telling them that their servers need protection...

      reply to this | link to this | view in chronology ]

      • icon
        ECA (profile), 8 Oct 2021 @ 12:17pm

        Re: Re: This is so bad.

        And one of the best server setups is free to Almost free, Linux.
        Where you can design and setup any configuration you want, but you need a person WHO understands Linux and networking.
        You could even run a computer that intercepts the incoming/outgoing and monitors things and TELLS/WARNS of things not Right happening. Use a simple Old Pentium to do it, CHEAP.

        reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 10 Oct 2021 @ 4:17am

          Re: Re: Re: This is so bad.

          "And one of the best server setups is free to Almost free, Linux."

          Software is free, but expertise is not. Which is part of the reason why we keep seeing these things happening - the bean counters assume that since the money saved by competent security professionals does not show up on a balance sheet until something goes wrong, that the people they pay to protect them don't deserve more money because they did a good job...

          "You could even run a computer that intercepts the incoming/outgoing and monitors things and TELLS/WARNS of things not Right happening"

          Yes, and if you haven't correctly set that up, you can actually be worse off than people who didn't bother, especially if you fooled yourself into thinking that you only need to set things up one and not constantly adjust and improve the alerting for new threats you didn't think of in the first place.

          "Use a simple Old Pentium to do it, CHEAP."

          Not for an enterprise with millions of users, you don't.

          reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

Introducing the new Techdirt Insider Chat, now hosted on Discord. If you are an Insider with a membership that includes the chat feature and have not yet been invited to join us on Discord, please reach out here.

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.