Upscale retailer Neiman Marcus revealed in late 2013 that they had been the victim of a cyberattack that resulted in the theft of consumer credit card information of about 350,000 customers. It was not until early in 2014 that the full scale of the attack was actually discovered, revealing that the number of compromised credit cards was closer to 1.1 million. In 2013, there were several large-scale cyberattacks that revealed significant faults in the security of credit card data among major retailers. Neiman Marcus is only one example, though their case is significant, because it led to a court ruling that would change the accountability of companies that were at the center of data breaches that compromised customer or employee information.
A Target-Style Malware Attack
The Neiman Marcus data breach was very similar to the breach that Target suffered during the holiday season of 2013, in which 110 million credit card numbers were compromised. The attack was carried out with the same type of malware installed on store terminals at Neiman Marcus, which would copy credit card numbers when cards were swiped. It is uncertain if the same group of hackers was behind the two attacks, but it is clear that the same faults in security were responsible for the infiltration.
Late Discovery of the Attack’s Impact
Initially, it was thought that the breach only affected less than half a million customers, but a late-release statement from Neiman Marcus revealed that malware had been stealing payment data for a much longer period than suspected, putting about 1.1 million customers at risk for fraud.
Lasting Changes for Company Liability
While the Neiman Marcus case is not the largest attack of this nature to have occurred in 2013, it was among the most significant. The reason being that a class-action lawsuit against Neiman Marcus following the breach made it to the 7th Circuit Court of Appeals, which ruled that the lawsuit was a legitimate claim because of the potential injury to affected customers. Until that point, it was much more difficult for consumers to bring legal action against retailers who were at the center of data breaches revealing their personal or financial information.