An American luxury retailer Neiman Marcus revealed in May 2024 that a data breach had compromised over 31 million customer email addresses. This alarming figure was uncovered by Troy Hunt, founder of Have I Been Pwned, who analyzed the stolen data. According to Hunt, the breach exposed much more than the 64,472 individuals initially reported in a breach notification filed with the Office of the Maine Attorney General. This discrepancy highlights the extensive reach of the breach and underscores the urgency of the situation.

Neiman Marcus disclosed that the stolen data included a wide array of personal information. The compromised data encompassed names, email addresses, postal addresses, phone numbers, dates of birth, gift card information, transaction histories, partial credit card details (excluding expiration dates and CVVs), Social Security numbers, and employee identification numbers. Hunt’s analysis confirmed the legitimacy of the data, with over 30 million unique email addresses verified. He emphasized the importance of promptly notifying the affected individuals, totaling 31,152,842 unique addresses. Hunt also noted that approximately 105,000 Have I Been Pwned subscribers found in the dataset would receive email notifications regarding the breach.

When contacted by BleepingComputer, a Neiman Marcus spokesperson declined to comment on Hunt’s findings and directed inquiries to the company’s data security notification on their website. The notification confirmed that the 64,472 individuals mentioned in the Maine filing were those who had received direct notifications about the breach.

                                      Neiman Marcus data for sale on hacking forum (HacManac)

The breach was linked to the Snowflake data theft attacks, as disclosed by Neiman Marcus in a statement to BleepingComputer. The company reported that an unauthorized party had accessed a cloud database platform provided by Snowflake. The threat actor, known as “Sp1d3r,” attempted to sell Neiman Marcus’ data on a hacking forum for $150,000. The data offered for sale included 12 million gift card numbers, 70 million transactions with full customer details, and 6 billion rows of customer shopping records, store information, and employee data. While the threat actor initially claimed that Neiman Marcus refused to pay an extortion demand, the subsequent removal of the forum post and data sample suggested that negotiations might have commenced.

A joint investigation by Snowflake, Mandiant, and CrowdStrike revealed that the breach was carried out by a financially motivated threat actor identified as UNC5537. This actor exploited stolen customer credentials to target at least 165 organizations that had not properly configured multi-factor authentication (MFA) on their Snowflake accounts. The investigation highlighted the critical importance of robust MFA protections to prevent such breaches. Other notable victims of these attacks, which began in May 2024, included Ticketmaster, Santander, Pure Storage, QuoteWizard/LendingTree, Advance Auto Parts, and the Los Angeles Unified School District.

The Neiman Marcus data breach serves as a stark reminder of the vulnerabilities in data security and the far-reaching impact of such incidents. It underscores the need for consumers, cybersecurity professionals, and industry stakeholders to remain vigilant and prioritize robust security measures to protect sensitive information.