Pierluigi Paganini July 09, 2024

The recent data breach suffered by the American luxury department store chain Neiman Marcus has exposed more than 31 million customer email addresses.

In May 2024, the American luxury retailer and department store chain Neiman Marcus disclosed a data breach following the security breach of the cloud-based data warehousing company Snowflake.

The luxury retailer disclosed the data breach after threat actors attempted to sell the company’s data for $150K.

The threat actors, called “Sp1d3r,” claimed that stolen data included names, addresses, phones, DOBs, emails, the last 4 of SSN, and much more. The company database offered for sale also includes:

• 70M transactions (with full customer details, last 4 of SSN, and more).
• 50M customer emails and IP addresses tracking.
• 12M gift card numbers (with name, gift card number, balances, and more).
• 6 billion rows of customer shopping records, employee data, store information.

According to a data breach notification filed with the Office of the Maine Attorney General, the security breach impacted 64,472 individuals.

“We are writing to notify you of an issue that involves certain of your personal information. In May 2024, we learned that, between April and May 2024, an unauthorized third party gained access to a database platform used by Neiman Marcus Group.” reads the notification. “Based on our investigation, the unauthorized third party obtained certain personal information stored in the database platform. The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card number(s) (without gift card PINs).”

However, the popular cyber security expert Troy Hunt, who runs the data breach notification platform Have I Been Pwned, told BleepingComputer that the data breach suffered by the American luxury retailer exposed more than 31 million customer email addresses.

A joint investigation by SnowFlake, Mandiant, and CrowdStrike attributes the supply attack to the financially motivated threat actor UNC5537.

According to Mandiant, the attackers used stolen customer credentials to target at least 165 organizations, including TicketMaster and Ticketek.

Hunt also confirmed that the data included in the database appears to be legitimate.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)