Neiman Marcus will pay $1.5 million to 43 states over a 2013 data breach that exposed customer credit card data, Texas Attorney General Ken Paxton announced Tuesday.
The breach, which was disclosed to the public in Jan. 2014, occurred over a three month period the year prior. Roughly 370,000 Neiman Marcus credit cards used at 77 stores nationwide were accessed by an unknown third party. At least 9,200 of them were used fraudulently, according to a statement from Paxton's office.
As part of the settlement, the Dallas-based luxury department store retailer must implement new procedures to protect customers' personal information and ward off future attacks. It also must obtain an information security assessment from a third-party professional.
For retailers, major data breaches can be catastrophic. When customers' most personal financial information is exposed, that has the power to erode trust with a retailer, no matter how loyal of a customer one might be.
"Each time a new data breach is disclosed from a 'trusted' retailer, consumer trust in that brand diminishes," Joe Stuntz, vice president of cybersecurity at One World Identity, said in a statement emailed to Retail Dive regarding a 2018 breach at Adidas.
Last year, a breach at some Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores were marked as "amongst the biggest and most damaging to ever hit retail companies," according to security research firm Gemini Advisory. Target felt the ripple effects of a massive 2013 holiday season breach for years afterward. It paid an $18.5 million settlement in 2017, though the true cost of the security breach on its bottom line was $150 million, the company estimated.
Because methods of data breach are constantly evolving, the threats are ongoing for retailers. "This requires that cyber security teams have effective funding, adequate staff and vast expertise. Sadly, none of those three are common," Terry Ray, CTO of data security technology company Imperva, told Retail Dive last year.