Neiman Marcus Customers Impacted by Snowflake Data Breach

Luxury department store chain Neiman Marcus confirmed that nearly 65,000 customers were impacted by the theft of its database during recent attacks on the cloud-based data warehousing platform Snowflake.

In a notification filed with the Office of the Maine Attorney General, Neiman Marcus revealed it learned in May of the attack, part of a series of attacks on the data platform between April and May.

"Based on our investigation, the unauthorized third party obtained certain personal information stored in the database platform," Neiman Marcus cautioned in the statement.

As reported by Hackmanac, the attacker known as "Sp1d3r" allegedly sold the stolen information for $150,000 after accessing the company's Snowflake account credentials.  

"The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card number(s) (without gift card PINs)," the statement continued.

Overall, more than 70 million transactions, 50 million customer emails, and 12 million gift card numbers were up for sale, along with employee info, and customer shopping data.

With the Dallas-based department store catering to high-end customers, "Sp1d3r" was quick to mention the data included "High Value Rich Targets! Big Spenders!"

This is not the first time the company has been victim of a data breach. In an attack in May 2020, the personal information of around 4.6 million online customers was exposed.

Neiman Marcus became aware of the breach — and then notified those affected — only more than a year later.

Strengthening MFA a Must

The admission by Neiman Marcus is the latest fallout from the Snowflake breach reported earlier this month, which impacted data belonging to at least 165 organizations, including Ticketmaster and Santander Bank.

A Mandiant investigation into the account compromises revealed the breaches occurred due to customers failing to implement multifactor authentication (MFA) and proper access control.

The financially motivated threat actor was identified as UNC5537 and accessed accounts using valid credentials obtained from other sources.

Dirk Schrader, vice president of security research at Netwrix, says organizations should embrace the use of MFA and password management solutions, implement a just-in-time privilege approach to identity security, and ensure detailed monitoring.

"MFA ensures another level of identification between a malicious actor and access to an organization's system, making it much more difficult to compromise identities," he explains.

A password-management solution helps ensure the use of complex, hard-to-crack passwords in place, restricts reusing passwords for multiple accounts, and relieves users from the burden of remembering them.

"For sensitive systems, organizations should go for just-in-time access management so that accounts only exist as long as they are needed, drastically reducing an attacker's options for credential abuse," Schrader adds.

Gunnar Braun, technical manager at Synopsys Software Integrity Group, says the incident demonstrates that literally every company is a potential target for an attack, and every organization that stores data in any shape or form must take measures to protect that data.

"Retailers are likely an easier target, as they are not subject to strict security regulations and often have a lower IT investment," he says.

He says for Neiman Marcus — and all other Snowflake customers — it comes down to protecting their credentials, like everyone should do for their PayPal, Gmail, and any other accounts.

Darren Williams, CEO and founder of BlackFog, warns the long-term effects of the breaches is unfortunate for customers, given how data is often leveraged for many years to come and sold on the Dark Web.

"The fact that Neimans failed to pay the ransom, while a good approach, has forced the attackers to make revenue other ways by selling the data online and targeting individuals," he says. "Unfortunately, most organizations are still unprepared to deal with these types of attacks."