The Dallas-based Neiman Marcus Group has always been known around the world as the luxury brand of choice for the rich and handsome. However, their previous reputation for premium quality took a big hit when news broke that the company’s network was breached by attackers back in May 2020.
It took 17 months for retailers to take notice.
Just this week, Neiman Marcus acknowledged the existence of the breach, which included personal information of customers such as name, contact information, payment card information (without CVV code), gift card number (without PIN code), Usernames, passwords, and even security questions related to Neiman Marcus’ online accounts.
Undiscovered vulnerabilities are dangerous for customers
But security experts say it’s too late for Neiman Marcus to take protective measures, and the unauthorized access vulnerability makes the situation even more dire.
The vulnerability occurred before Neiman Marcus filed for bankruptcy in September 2020, which could make a cyberattack difficult to identify, and from a security perspective, it is very dangerous for a company to go so long without finding and patching a vulnerability. The vulnerability may have caused more harm that has yet to be discovered. And the attacker is likely to sell access to the system to someone else so that it can be accessed later.
While most stolen credit and gift cards today do not contain data such as PINs and CVVs, and these may be out of date, theft of username and password information is a real concern. This data is more likely to be sold to other attackers, who can use it along with other stolen personal information to commit crimes such as identity theft.
He also said that it is now difficult to find any direct evidence of the vulnerability, since so much time has passed since the initial leak.
The researchers believe that the key evidence is likely no longer in their systems, and it is now difficult for them to determine the original point of intrusion, what other areas the attackers have entered, and what the attackers have done other than steal data. All of these points are critical for an organization to inform affected departments to make adjustments to prevent this from happening again in the future, and to provide key evidence to law enforcement for further criminal investigations.
The security situation of many institutions is appalling
Security researchers say it’s surprising how many organizations now lack prevention and detection capabilities. We should avoid blaming victims as much as possible, but in many cases, businesses have been grossly negligent in keeping customer data safe.
And in many breaches, attackers easily gained access to their customer data.
Although the attackers or attack methods have been described as very sophisticated in the news, the reality is that most of the exploits are not like the ‘cyber attack plot’ demonstrated in some movie plots, but are similar to some people walking It’s as simple as going through the front door and stealing from a filing cabinet while no one around is looking.
Neiman Marcus’ security team should assume that attackers have been lurking in its systems since May 2020. And the enterprise should adopt stronger security policies.
Today, sophisticated retailers on the web are relying on artificial intelligence to handle everything from credit fraud to supply logistics, and of course, to constantly monitor their risks across their globally distributed networks and complex digital infrastructures, with threats like As retailers like Neiman Marcus continue to adapt to a more virtual world and support newer ways to shop remotely (like its recently announced virtual sneaker showroom), we expect attacks on the industry to increase. These innovations open more avenues for attackers to snoop on and access consumers’ private data. Businesses have a responsibility to ensure that their consumers’ personal data is best defended and protected.
Currently, Neiman Marcus requires customers to reset their passwords and has set up a service center for those concerned about their information being compromised.
Security experts believe retailers have an ethical and legal obligation to protect customer data. They have an obligation to keep this sensitive customer data safe from criminals.