Neiman Marcus alerts 4.6 million customers about May 2020 data breach

Retailer Neiman Marcus is notifying some 4.6 million customers that their information was compromised in a May 2020 data breach, the company said.

The Dallas-based chain announced Thursday that hackers accessed user names and passwords, as well as security questions and answers associated with consumer accounts. The luxury fashion chain, one of the largest in the U.S., forced password changes for customers who did not reset their credentials following the incident, and is working with the security firm Mandiant to investigate the matter.

Unidentified intruders accessed roughly 3.1 million payment cards and virtual gift cards, the company said, adding that 85% of those numbers are invalid or have expired. There is no evidence that accounts at Neiman Marcus-owned Bergdorf Goodman or Horchow were affected in the matter, the company said in a statement.

Word of the breach arrives as Neiman Marcus, like other brick-and-mortar retailers, tries to recover from a sudden drop off in sales amid the COVID-19 pandemic. The firm has reduced debt to roughly $80 million from $327 million in 2019, the Wall Street Journal reported in June, while planning to invest more than $500 million over the next three years to accelerate in-store changes and update its supply chain.

The company previously disclosed a data breach in April 2017 in which hackers used customer user names and passwords as a foothold into other data, including other customers’ names, purchase histories and some payment information. Two years before that, fraudsters took control of more than 5,000 accounts, including full payment card numbers and expiration dates, to make a series of fraudulent purchases.