Beshear: Neiman Marcus to Pay Commonwealth more than $17,000 over 2013 Data Breach

Multistate investigation finds 420 payment cards tied to Kentuckians compromised in breach

FRANKFORT, KY. (Jan. 8, 2019) – Today, Attorney General Andy Beshear announced that his office was part of a multistate settlement that lead the Neiman Marcus Group LLC to pay Kentucky’s General Fund more than $17,000 after a 2013 data breach.

Beshear said a joint investigation, including 43 states and the District of Columbia regarding 77 Neiman Marcus stores in the United States, found that 420 payment cards belonging to Kentuckians were compromised in the data breach.

“In a time where data breaches are unfortunately common, I am proud to join with other attorneys general to strengthen online data safeguards so that Kentuckians’ personal and financial information is better protected,” said Beshear. “As part of the settlement, Neiman Marcus is committed to doing more to help prevent future data breaches.”

In January 2014, Neiman Marcus disclosed that payment card data collected at certain of its retail stores had been compromised by an unknown third party.

The states’ investigation determined that approximately 370,000 payment cards in total were compromised, which took place over the course of several months in 2013. At least 9,200 of the payment cards compromised in the breach were used fraudulently. At the time of the breach announcement, Neiman Marcus offered consumers identity theft protection.

Together the states will receive a collective $1.5 million from Neiman Marcus to settle the investigation. Kentucky’s General Fund portion will be available for lawmakers to appropriate during the 2020 legislative budget session.

In addition to the monetary settlement, Neiman Marcus has agreed to take action to prevent similar breaches in the future, including increasing network activity monitoring efforts and updating software to maintain and protect customer’s personal and financial information.

Under the settlement, Neiman Marcus is also required to retain a third-party professional to conduct an information security assessment and report, and to detail any corrective actions that the company may have taken or plans to take.

Beshear’s office has joined multistate settlements against Uber, Target, Adobe and Nationwide Mutual Insurance Company, requiring those companies to maintain data security protections affecting thousands of Kentuckians.