Neiman Marcus Cyber Attacker Looks to Sell Hacked Data of ‘High Value Rich Targets!’

Here’s a sale Neiman Marcus never wanted: Apparently, the latest cyberattack against the department store, which it said affects 64,000 customers, has resulted in a tranche of shopper data being put up for sale for $150,000.

In terms of scope, this could be a conservative estimate. “Sp1d3r,” the hacker claiming responsibility, asserts that the number is orders of magnitude larger, at 180 million users. That number hasn’t been corroborated, but what’s certain is that the suspect is attempting to sell the data on a cybercrime forum.

More from WWD

The incident occurred on April 14, according to a government Data Breach Notification filed by Neiman Marcus’ attorneys, and was uncovered on May 24. On Monday, the retailer notified affected consumers.

A company spokesperson told WWD that, “Neiman Marcus Group recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake. Promptly after discovering the incident, NMG took steps to contain it, including by disabling access to the platform.”

Then the company immediately launched an investigation alongside cybersecurity experts and notified law enforcement.

The alleged attacker maintained that the exploit yielded the last four digits of Social Security numbers — a detail that Neiman Marcus did not discuss or respond to, when asked — amid other information from 70 million transactions, 50 million customer emails (with IP address tracking), 12 million gift card numbers and 6 billion rows of customer shopping records.

But Neiman Marcus did confirm at least some of the other aspects of the hacker’s claim. “The types of personal information affected varied by individual, and included information such as name, contact information, date of birth and Neiman Marcus or Bergdorf Goodman gift card numbers,” the rep said.

However, the breach didn’t yield gift card PINs, they added. This means that the PINs, as a security mechanism, did their job by protecting the loaded value from unauthorized access or use.

Regardless, Sp1d3r appears intent on selling whatever info was gleaned. Or at least hopes to extort the department store into paying to get the data back.

“High value rich targets! Big spenders!” Sp1d3r wrote. “Neiman, if interest in exclusive purchase we remove post. Contact us.”

The incident appears to be part of other recent Snowflake attacks, including one high-profile breach of event goliath Ticketmaster. The cloud database provider characterized them as a “targeted threat campaign” aimed at some of its customers. But after a third-party investigation, it took to X, formerly Twitter, to reject the notion that it was due to some vulnerability in the platform.

Snowflake chalked it up to “compromised credentials previously purchased or obtained through infostealing malware,” which attackers used to target accounts that only used single-factor authentication.

Best of WWD