Neiman Marcus Offers Update on Credit Card Breach

Neiman Marcus Group Ltd. said that to its knowledge, customers’ Social Security numbers and birthdates were not stolen in a security breach that happened over the year-end shopping season.

It also confirmed that at this time, customers who shopped online do not appear to have been affected by the criminal cybersecurity intrusion, and it said personal identification numbers, or PINs, were never at risk because the retailer does not require PIN pads in its stores.

The update, posted on its website Thursday, comes nearly a week after the Dallas-based luxury retailer said that thieves stole some of its customers’ payment information and made unauthorized charges. At the time, it said that it was working with the Secret Service on the breach. The news follows Target’s announcement of a massive security breach that could end up being the largest on record for a retailer once a final tally is known.

Neiman Marcus, which operates 40 full-scale stores and clearance locations, also said that it was offering customers free credit monitoring for an “added layer of protection.” The company said shoppers should sign up for instructions to this service on its website by Jan. 24.

“We deeply regret and are very sorry that some of our customers’ payment cards were used fraudulently after making purchases at our stores,” said Karen Katz, Neiman Marcus’s CEO, in a letter posted on the company’s website.

Neiman Marcus said last week that it was notified in mid-December by its credit card processor about potentially unauthorized payment activity, and on Jan. 1, a forensics firm confirmed that it was a victim of a cybersecurity intrusion. Ginger Reeder, a spokeswoman at Neiman Marcus, on Thursday declined to say how many people could potentially be affected since the investigation is ongoing. She also wouldn’t disclose what personal information was captured.

“We know what type was not captured, based on what information we capture,” she wrote in an email to The Associated Press.

Target Corp. disclosed last week that its massive data theft was significantly more extensive and affected millions more shoppers than the company announced in December. The nation’s second-largest discounter said hackers stole personal information — including names, phone numbers, email and mailing addresses — from as many as 70 million customers, up from a previous estimate of 40 million credit and debit card accounts. The breach happened from Nov. 27 to Dec. 15 — just as the year-end shopping season was getting into gear.

Target said that it was offering those potentially affected free credit monitoring, but acknowledged Friday that news of the data theft has scared some shoppers away. It cut its earnings outlook for the quarter that covers the crucial year-end shopping season, and warned that sales will be down for the period.