Department store company Neiman Marcus Group Inc. has been hacked, with data relating to about 4.6 million customers stolen.

The details of the hack were not disclosed, but Nieman Marcus said today that it occurred in May 2020. The company officially describes the theft of data as unauthorized access related to customer’s online accounts.

The data stolen included 3.1 million payment and virtual gift cards, although Neiman Marcus notes that more than 85% were either expired or invalid. Other details stolen included names and contact information, payment card numbers and expiration dates, user names, passwords and security questions and answers associated with Neiman Marcus online accounts.

Neiman Marcus said it has taken steps to protect its customers, albeit nearly 17 months after the incident, including requiring an online password reset for affected customers. The company has informed law enforcement of the breach and has hired cybersecurity consulting firm Mandiant, a division of FireEye Inc., to investigate.

“At Neiman Marcus Group, customers are our top priority,” Geoffroy van Raemdonck, chief executive officer on Neiman Marcus, said in a statement. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

The timing of the data breach and the long delay in disclosing it, is notable. The company filed for bankruptcy in May 2020, the same month the data breach occurred and then came out of bankruptcy in September 2020. That the data breach had been missed before now may reflect Neiman Marcus having other issues to deal with at the time.

“From a security perspective, it is very dangerous for a company to go this long without detecting and responding to a breach,” Quentin Rhoads, director of professional services at cybersecurity consulting and managed detection and response company Critical Start Inc., told SiliconANGLE. “More damage could have been done that has yet been discovered. It is also not uncommon for attackers to sell their access to a breached company as part of their revenue-generating plan, which means there might be a chance attackers still have access.”

Noting that most of the credit cards and gift cards stolen don’t contain data like pins and CVV numbers and are probably expired, Rhoads added that this data is more than likely been sold to other attackers who can use it for crimes such as identity theft in conjunction with the other personal information stolen.

Photo: Rocor/Flickr