Fiend touts stolen Neiman Marcus customer info for $150K
Flash clobber chain fashionably late to Snowflake fiasco party
Customer information said to have been stolen from Neiman Marcus's Snowflake instance has been put up for sale on the dark web for $150,000.
That would make the fancy department store chain the latest outfit to have had its data swiped from its cloud-based Snowflake storage and peddled on an underworld forum.
Between April and May, an intruder accessed 64,472 shoppers' names, contact information, dates of birth, and Neiman Marcus or Bergdorf Goodman gift card number(s) — but not the gift card PINs — according to a privacy breach notification submitted to the Maine Attorney General in the US by the luxury retailer.
In that disclosure, the swish garb slinger blamed the theft on an "unauthorized third party" breaking into "a database platform used by Neiman Marcus Group."
A Neiman Marcus spokesperson declined to answer whether it had turned on multi-factor authentication (MFA) for that database – an oversight common among victims of recent raids on Snowflake cloud accounts – though did confirm to El Reg that the unnamed platform was indeed Snowflake. The rep told us:
Neiman Marcus Group (NMG) recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake. Promptly after discovering the incident, NMG took steps to contain it, including by disabling access to the platform. We also began an investigation with assistance from leading cybersecurity experts and notified law enforcement authorities. Based on our investigation, the unauthorized party obtained certain personal information stored in the platform.
The Snowflake database did not include customers' credit card information, we're told. Upon discovering the cloud security breach, the high-end chain disabled access to the storage service and hired "leading cybersecurity experts" to assist with the investigation. It also tipped off law enforcement.
"We will continue to enhance our safeguards for protecting personal information," a letter [PDF] sent to customers by NMG about the privacy snafu added.
Meanwhile, someone who goes by the handle Sp1d3r has touted online what they claim to be "millions of customers" transactions and other details pilfered from Neiman Marcus, and is attempting to trade it all for $150,000.
- Snowflake breach snowballs as more victims, perps, come forward
- Pure Storage pwned, claims data plundered by crims who broke into Snowflake workspace
- Hudson Rock yanks report fingering Snowflake employee creds snafu for mega-leak
- UK and US cops band together to tackle Qilin's ransomware shakedowns
According to Sp1d3r's dark-web souk listing, the stolen data includes names, addresses, phone numbers, the last four digits of customers' Social Security numbers, plus 50 million customer email addresses with IP addresses, 12 million gift card numbers, and "6 billion rows of customer shopping records, employee data, store information." Presumably that was lifted from NMG's Snowflake account.
We should note that Sp1d3r's inventory of stolen data has not been verified; it may be a wild exaggeration.
While it may be the latest, Neiman Marcus is likely not the last of the Snowflake victims. At least 165 organizations have had their internal data exfiltrated from their Snowflake cloud storage accounts by miscreants using what's understood to be stolen customer credentials – a theft MFA may have been able to thwart.
Gradually these orgs have been disclosing the security breaches as this purloined information is put up for sale on cyber-crime forums.
While Ticketmaster and Spanish bank Santander were among the first to go public, other big names including Pure Storage, Advance Auto Parts, and Australian ticketing provider Ticketek have since emerged as victims.
According to Google's Mandiant, which has been investigating the intrusions, none of the victims had turned on MFA. Doh. ®