Neiman Marcus Breach Exposes Data Of 4.6 Million Users
from the let's-make-sure-we-do-absolutely-nothing-about-this dept
Another day, another massive privacy breach nobody will do much about. This time it's Neiman Marcus, which issued a statement indicating that the personal data of roughly 4.6 million U.S. consumers was exposed thanks to a previously undisclosed data breach that occurred last year. According to the company, the data exposed included login in information, credit card payment information, virtual gift card numbers, names, addresses, and the security questions attached to Neiman Marcus accounts. The company is, as they always are in the wake of such breaches, very, very sorry:
"At Neiman Marcus Group, customers are our top priority," said Geoffroy van Raemdonck, Chief Executive Officer. "We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information."
As is par for the course for this kind of stuff, the actual breach is likely much worse than what's first being reported here. And by the time the full scope of the breach becomes clear, the press will have largely lost interest. The company set up a website for those impacted to get more information. In this case, impacted consumers didn't even get free credit reporting, the standard mea culpa hand out after these kinds of events (which is worthless since consumers have received free credit reporting for countless hacks and leaks over the last five to ten years).
Of course absolutely nothing will actually happen in the wake of this latest breach, and the company will face no meaningful penalty for failing to adequately secure its systems (another 1.1 million customers had gift card data leaked in a 2014 breach). In large part because we still don't have an effective, or even basic, privacy law for the internet era because the nation's wealthy don't want one. And because we've actively underfunded, understaffed, and routinely undermined our privacy regulators, who, even when they can be bothered to step in, do little more than dole out wrist slaps.
At some point you'd think the country's top policy leaders would get tired of this dysfunctional paradigm and start crafting basic, intelligent federal privacy solutions, but it's apparently not going to be anytime soon. Our apathy to the impact that lax security and privacy standards have on consumers and markets isn't an accident; it's an active policy choice.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breach, data breach
Companies: nieman marcus
Reader Comments
Subscribe: RSS
View by: Time | Thread
"the security questions attached to Neiman Marcus accounts."
This is the concerning thing to me. The others range in terms of impact and sensitivity but many of them are dealt with relatively easily or a matter for the company to sort out with this customers (gift card numbers can be blocked and regenerated, for example, and probably not of much use if they've already expired or been used).
But, security questions tend to take the form of a small number of very standard requests for which there's only one real answer that an individual would give. So, someone with access to the Neiman data can most likely cross-reference the accounts with those exposed in other breaches, and gain access to those accounts even if those people have changed their passwords (and perhaps, depending on how good the security actually is on those other sites, if they activated 2FA).
That seems to be a hell of a thing to have been sitting on for a year before telling people what happened, and not necessarily easy for anyone to rectify.
"We will continue to take actions to enhance our system security and safeguard information"
Will you, though?
[ link to this | view in chronology ]
Security Questions are CARP
As Bruce Schneier wrote:
Essentially, the site is using a weak password as a backup to a (hopefully) strong one. This is entirely bass-ackwards.
So what should you do?
If you have a password manager (you do, right?), then you can store the random-character answer in your manager, so it is available if you really need to use it.
Sites don't take your security seriously, so you have to.
[ link to this | view in chronology ]
Re: Security Questions are CARP
I do! I do indeed. I got the Westinghouse brand password manager. Admittedly I had to augment it with some Frigidaire brand magnets, but yeah.
[ link to this | view in chronology ]
Re: Security Questions are CARP
"you can store the random-character answer in your manager, so it is available if you really need to use it"
I've dealt with the general public, and the reality of those people is that they don't know what you just said. But, they will have given the name of their first pet to 20 different sites they use, and assuming they didn't also answer a quiz on Facebook to give it away before this hack and already had an issue, they are going to have some problems.
[ link to this | view in chronology ]
New day…
New day, new breach…
If it’s online, it’s hackable
[ link to this | view in chronology ]
It would be nice if we stopped pretending corporations were innocent in all of this & forced them to pay to fix the damage they caused for people.
The corporations are not the victims, they aren't out anything.
People who had their ID's stolen are then left to spend stupid amounts of money to prove it wasn't them that opened that credit card & ran it up.
If we demanded rape victims had to pay for their rape kits to be processed, outside of texas where rapist have been all removed, people would/should be outraged... but when someone manages to steal your identity & run up bills the system protects the corporations from losses by demanding the innocent victim pay to prove they are innocent.
All of this data is stolen over and over and over and over & used to steal over and over and over and over...
perhaps its time to admit how this data is used is the problem & demand the industry making big bucks & sticking innocent people with big bills to clean up needs to actually take it seriously & do more to protect the public & tighten things up so its harder for someone with a SS#, your dogs name, and the 3rd grade teachers name to get a $75,000 loan.
[ link to this | view in chronology ]
Re:
Wouldn't help much. Most big orgs budget litigation as a cost of doing business or calculate the cost of litigation vs. fixing the issue. For example, GM figured spending $8.59/car to fix their stupid gas tanks was more than the cost of settling any wrongful-death lawsuits.
Now if you were to hold certain C-level folks criminally liable, they would most certainly do something about it. Not sure if that's possible to do in an S-Corp, though.
[ link to this | view in chronology ]
and tha-tha-that's all, folks!
[ link to this | view in chronology ]
This is so bad.
That I wonder if this is just a way to sell off all their data and BLAME WHO?
Hasnt anyone create a Program to secure the DATA on these systems? And Why hasnt anyone started using them?
Microsoft Should be making Trillions supporting their Own program and server systems.
A program that creates a Pass/encryption code, and then separates the data and hides it with only 1 program able to Bring all parts together and Decode it.
WHATS the freaking Problem?
This is 1 of Hundreds of break-ins. and this is reported one, and a big one. Where are the server protections? the Admins to monitor whats happening ON THOSE SERVERS.
[ link to this | view in chronology ]
Re: This is so bad.
"Hasnt anyone create a Program to secure the DATA on these systems?"
Why would they? If they don't face financial penalties for this stuff, then any attempt to secure the data costs money - and they spend that on marketing, not those pesky nerds who keep telling them that their servers need protection...
[ link to this | view in chronology ]
Re: Re: This is so bad.
And one of the best server setups is free to Almost free, Linux.
Where you can design and setup any configuration you want, but you need a person WHO understands Linux and networking.
You could even run a computer that intercepts the incoming/outgoing and monitors things and TELLS/WARNS of things not Right happening. Use a simple Old Pentium to do it, CHEAP.
[ link to this | view in chronology ]
Re: Re: Re: This is so bad.
"And one of the best server setups is free to Almost free, Linux."
Software is free, but expertise is not. Which is part of the reason why we keep seeing these things happening - the bean counters assume that since the money saved by competent security professionals does not show up on a balance sheet until something goes wrong, that the people they pay to protect them don't deserve more money because they did a good job...
"You could even run a computer that intercepts the incoming/outgoing and monitors things and TELLS/WARNS of things not Right happening"
Yes, and if you haven't correctly set that up, you can actually be worse off than people who didn't bother, especially if you fooled yourself into thinking that you only need to set things up one and not constantly adjust and improve the alerting for new threats you didn't think of in the first place.
"Use a simple Old Pentium to do it, CHEAP."
Not for an enterprise with millions of users, you don't.
[ link to this | view in chronology ]