Neiman Marcus has notified 4.6 million online customers that their personal information including names, contact information, and credit card numbers may have been accessed in a data hack. The high-end department store chain said it had notified law enforcement authorities about the breach, which it said happened in May 2020. About 3.1 million payment and virtual gift cards were affected, more than 85% of which were expired or invalid, Neiman Marcus said.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>While a shallow glance at this makes it look like yet another personal data breach, this one is a bit different. According to the information, not only have credit card numbers leaked which means that the company has been storing credit card numbers in a format that is readable, but also that 85% of those would have expired meaning that the organization had little to no justification to keep processing and storing those cards. While the breach notification is good, the lack of hygiene, in this case, is considerable.</p>
<p>Retailers are some of the most viable targets for threat actors precisely because these businesses gather, process, and house so much information about their customers. Of course, they need this information to understand their customer base and grow their retail offers (and their businesses). However, they have an obligation to keep this sensitive customer data safe and out of the hands of the wrong people, obligations that are both ethical and regulatory in nature. The outcome of not doing this is exactly what Neiman Marcus Group is now facing.</p>
<p>The answer isn’t just to protect data within secured borders and behind guarded perimeters, though that is a good start. Protect the data itself as well, with data-centric security that makes sensitive information unreadable and unusable by threat actors. Data-centric methods such as tokenization can do this while also preserving data format so that business applications can work with data in a protected state. The best way to preserve reputational data in the market and keep your customers happy is to make sure you never have to inform them that their sensitive PII might be compromised!</p>