Neiman Marcus confirms information breach after hackers try and promote database


Neiman Marcus

Luxurious retailer Neiman Marcus confirmed it suffered a knowledge breach after hackers tried to promote the corporate’s information, allegedly stolen within the current Snowflake information theft assaults.

In a knowledge breach notification filed with the Workplace of the Maine Legal professional Normal, the corporate says that the breach impacted 64,472 individuals.

“In Might 2024, we realized that, between April and Might 2024, an unauthorized third social gathering gained entry to a database platform utilized by Neiman Marcus Group. Based mostly on our investigation, the unauthorized third social gathering obtained sure private data saved within the database platform,” warns Neiman Marcus in a knowledge breach notification.

“The kinds of private data affected diversified by particular person, and included data similar to title, contact data, date of beginning, and Neiman Marcus or Bergdorf Goodman reward card quantity(s) (with out reward card PINs).”

Neiman Marcus stated they disabled entry to the database platform when the breach was detected, investigated with cybersecurity specialists, and notified regulation enforcement.

Whereas reward card numbers for Neiman Marcus and Bergdorf Goodman had been uncovered within the breach, the information didn’t embrace PINs, so the reward playing cards ought to nonetheless be legitimate.

Linked to Snowflake information theft assaults

The information breach notifications come after a menace actor named “Sp1d3r” put Neiman Marcus’ information up on the market on a hacking discussion board for $150,000, as first shared by HackManac.

Whereas Neiman Marcus didn’t particularly title Snowflake because the database supplier, this menace actor is behind the sale of knowledge for quite a few corporations breached within the current Snowflake information theft assaults.

Moreover, the menace actor talked about “Raped Flake” within the put up, which is a customized instrument the menace actors created to steal information from the database platform.

Neiman Marcus data for sale on a hacking forum
Neiman Marcus information on the market on a hacking discussion board
Supply: HacManac

In response to the menace actor, the stolen information included what Neiman Marcus shared, plus the final 4 digits of social safety numbers, buyer transactions, buyer emails, buying information, worker information, and tens of millions of reward card numbers.

The menace actor claims to have tried to extort the corporate earlier than the discussion board posting, stating that the corporate refused to pay an extortion demand.

Nonetheless, quickly after the put up was made on the discussion board, it was subsequently taken down together with the information pattern, indicating that the corporate could have begun negotiating with the menace actors.

165 orgs doubtless impacted by Snowflake assaults

joint investigation by SnowFlake, Mandiant, and CrowdStrike revealed {that a} menace actor, tracked as UNC5537, used stolen buyer credentials to focus on not less than 165 organizations that had not configured multi-factor authentication safety on their accounts.

Mandiant additionally linked the Snowflake assaults to a financially motivated menace actor tracked as UNC5537 since Might 2024. This menace actor is thought for breaching organizations, stealing information, and making an attempt to extort corporations into paying a ransom for the information to not be printed or leaked to different menace actors.

Whereas Mandiant has not publicly disclosed a lot details about UNC5537, BleepingComputer has realized they’re a part of a neighborhood of menace actors who continuously go to the identical web sites, Telegram and Discord servers.

To breach Snowflake accounts, the menace actor used credentials stolen by information-stealing malware infections relationship again to 2020.

“The impacted accounts weren’t configured with multi-factor authentication enabled, that means profitable authentication solely required a legitimate username and password,” Mandiant stated.

“Credentials recognized in infostealer malware output had been nonetheless legitimate, in some instances years after they had been stolen, and had not been rotated or up to date. The impacted Snowflake buyer situations didn’t have community enable lists in place to solely enable entry from trusted places.”

UNC5537 Snowflake attack timeline
UNC5537 Snowflake assault timeline
Supply: Mandiant

Snowflake and Mandiant have already notified round 165 organizations doubtlessly uncovered to those ongoing assaults.

Current breaches linked to those assaults embrace Santander, Ticketmaster, QuoteWizard/LendingTree, Advance Auto ComponentsLos Angeles Unified, and Pure Storage.