Neiman Marcus data breach hits 4.6 million — here's what you need to do

The entrance to a Neiman Marcus store at an indoor shopping mall in suburban Philadelphia.
(Image credit: Helen89/Shutterstock)

Dallas-based department-store chain Neiman Marcus yesterday (Sept. 30) said that upward of 4.6 million customers who shopped on the Neiman Marcus website had their personal information, including credit-card numbers and account passwords, stolen in a data breach in May 2020, more than a year ago.

"The personal information for affected Neiman Marcus customers varied and may have included names and contact information; payment card numbers and expiration dates (without CVV numbers); Neiman Marcus virtual gift card numbers (without PINs); and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts," said a Neiman Marcus press release

It's not clear if and how Neiman Marcus encrypted customer passwords, as most companies do. Neiman Marcus said it was forcing customers who had not reset their passwords since May 2020 to do so now, but didn't specify whether it was actively forcing customers to do so or just waiting until a customer tried to log in.

"Approximately 3.1 million payment and virtual gift cards were affected, more than 85% of which are expired or invalid," the company added. "No active Neiman Marcus-branded credit cards were impacted. At this time, the Company has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected."

Many companies encrypt customer credit card numbers as well, sometimes leaving only the last four digits visible in plain text. Neiman Marcus did not say how the card numbers it stored were protected.

Customers known to be affected by this breach are being emailed by Neiman Marcus. The text of the email is on this information page the company has set up:

If you get a Neiman Marcus email about the breach and its text doesn't match, then it may be a fake. Customers can also call (866) 571-9725 during most hours on weekdays and weekends — be sure to provide reference number B019206. 

What you need to do about the Neiman Marcus data breach

If you shopped online at Neiman Marcus in May 2020 or earlier, the first thing you need to do is to change your Neiman Marcus account password. Don't wait for the company to make you do it. Make the new password long and strong, and even more importantly, don't reuse that password anywhere else

If you did use the same username and password on other accounts, you'll need to change the passwords on those accounts as well, again making sure you don't use a new password more than once. Try using one of the best password managers to keep track of them all. 

Then check the past 18 months of transaction histories for any credit or debit cards you may have used at Neiman Marcus. If you see anything unusual or suspicious, tell your card issuer right away.

Neiman Marcus recommends running at least one of the free credit reports you can get at  That's something everyone should do, regardless of data-breach impact, and as long as the COVID-19 pandemic lasts, you can get new free credit reports every week. 

However, the company is not offering any kind of free identity theft protection, as many other companies do in the wake of a data breach. 

Still not clear who hacked Neiman Marcus

The press release said Neiman Marcus hired cybersecurity-response firm Mandiant to look into the data breach. At this moment, the company doesn't know who hacked it, or why it took nearly a year and a half for the data theft to come to light.

Neiman Marcus went through Chapter 11 bankruptcy protection for several months in 2020, citing lack of sales during the height of the COVID-19 pandemic.

This isn't the first time Neiman Marcus has been hit. In 2014, the company revealed that up to 1.1 million customer credit cards  had been swiped by malware that infected the company's retail-store payment systems.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.