By Kara Murphy, contributing writer, Integrated Solutions For Retailers
You knew it was coming: A lawsuit has been filed against Neiman Marcus by a customer who was a victim of the company’s data hack.
The Illinois woman who sued the company says she is doing so on behalf of the 350,000 customers whose information was compromised. She says the theft of her information caused her and other customers long-term stress.
"Neiman Marcus has placed the burden on aggrieved customers like plaintiff and the other members of the class, either to monitor their accounts and credit reports for years to come, or to spend time and money on fraud alerts or credit-report security freezes," said Hilary Remijas in her court filing, which was reported in the Bloomberg News.
Neiman Marcus, which is based in Dallas, faced a similar claim from an Atlanta customer in January, but that court filing was later dropped.
The lawsuit is just the latest headache for the company associated with the data breach. The company reported in its late February earnings report that the data breach has cost it $4.1 million so far in legal fees, investigations, customer communications and credit monitoring subscriptions. Executives said during the same call that the luxury retailer had taken a $68 million loss during the holiday quarter. A year ago, it reported a $40 million profit.
About 350,000 cards were compromised in the Neiman Marcus breach between July 16 and Oct. 30. Of those, about 9,200 cards have been used by thieves, Neiman Marcus CEO Karen Katz said.
The lessons for other retailers in the breach also continue to unfold. One of the latest: Pay attention to alarms. The hackers who broke into Neiman Marcus’s system set off the company alarms 60,000 times, according to an internal company investigation. On some days, hundreds of alerts were tripped because the card-stealing software was automatically deleted from the payment registers and had to be reloaded.
A spokeswoman for Neiman Marcus told the Bloomberg News that the hackers gave the software a name that was nearly identical to the company’s payment software, so alerts went unnoticed among a deluge of data routinely reviewed by a security team.
“These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day,” the spokeswoman said.