Luxury retail company Neiman Marcus Group on Thursday confirmed that customer information was indeed stolen in a data breach.
During the incident, which occurred in May 2020, hackers were able to exfiltrate information associated with online customer accounts, including payment card data, the company says.
A total of 4.6 million online customers were affected by the attack and Neiman Marcus is working on notifying them. The company also says that 3.1 million payment and virtual gift cards were compromised, 85% of which were either expired or invalid.
Personal information stolen in the attack includes names and contact information, usernames, passwords, as well as answers to security questions associated with the online accounts.
The attackers, the company says, were able to steal payment card numbers and expiration dates, but not associated CVV numbers. For the affected Neiman Marcus virtual gift card numbers, PINs were not compromised.
“No active Neiman Marcus-branded credit cards were impacted. At this time, the Company has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected,” Neiman Marcus said.
The company notes that it has also prompted users to change their passwords, provided they did not do so since May 2020.
“We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information,” said Geoffroy van Raemdonck, the CEO of Neiman Marcus Group.
Related: Controversial Web Host Epik Confirms Customer Data Exposed in Breach
Related: UK Minister Sorry Over Afghan Interpreters’ Data Breach
Related: IBM: Average Cost of Data Breach Exceeds $4.2 Million