Neiman Marcus cyber attacker wants to sell hacked data from “high-profile, wealthy targets”!

Here’s a sale Neiman Marcus never wanted: The department store’s recent cyberattack, which it said affected 64,000 customers, apparently resulted in some of its customer data being put up for sale for $150,000.

In terms of scale, this could be a conservative estimate. “Sp1d3r”, the hacker who claims responsibility, claims that the number is several times higher, namely 180 million users. This figure has not been confirmed, but what is certain is that the suspect is trying to sell the data on a cybercrime forum.

More from WWD

The incident occurred on April 14, according to a data breach notification filed by Neiman Marcus’s lawyers, and was discovered on May 24. On Monday, the retailer notified affected consumers.

A company spokesperson told WWD: “Neiman Marcus Group recently learned that an unauthorized party gained access to a cloud database platform used by NMG, which is provided by a third-party provider, Snowflake. Immediately after discovering the incident, NMG took steps to contain it, including by blocking access to the platform.”

The company then immediately launched an investigation together with cybersecurity experts and notified law enforcement authorities.

The alleged attacker claimed that the exploit revealed the last four digits of Social Security numbers – a detail that Neiman Marcus did not discuss or respond to when asked – as well as other information from 70 million transactions, 50 million customer emails (with IP address tracking), 12 million gift card numbers and 6 billion lines of customer purchase records.

However, Neiman Marcus confirmed at least some other aspects of the hacker’s claim. “The type of personal information affected varied from person to person and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers,” the spokesperson said.

However, no gift card PINs were compromised in the data breach, they added, meaning that the PINs served their purpose as a security mechanism by protecting the loaded value from unauthorized access or use.

Regardless, Sp1d3r seems determined to sell the information he has collected. Or at least he hopes to blackmail the department store into paying to return the data.

“High profile rich targets! Lots of money to spend!” wrote Sp1d3r. “Neiman, if there is interest in an exclusive purchase we will remove the post. Contact us.”

The incident appears to be part of other Snowflake attacks, including a high-profile attack on event giant Ticketmaster. The cloud database provider described the attacks as a “targeted threat campaign” targeting some of its customers, but after a third-party investigation, it contacted X, formerly Twitter, to dismiss the notion that the attack was due to a vulnerability in the platform.

Snowflake attributed this to “compromised credentials that had been previously purchased or obtained through infostealing malware,” and the attackers used these to attack accounts that only used single-factor authentication.

The best of WWD