Saturday, May 19, 2007
Personal information of 160,000 Neiman Marcus employees breached
Personal information of 160,000 Neiman Marcus employees breached
Frank Washkuch Jr. Apr 25 2007 19:12
The latest retailer to suffer a data breach: Neiman Marcus.
A third-party consultant on April 5 discovered the computer equipment containing the personal information of 160,000 current and former employees was stolen, according to an announcement from the Dallas-based parent chain Neiman Marcus group.
A smorgasbord of personal information is available on the stolen hardware, including names, addresses, Social Security numbers, dates of birth, periods of employment, salary information and some pension information, according to statements from Neiman Marcus.
The information may have been unencrypted, and could be used in phishing schemes, according to company officials.
The employee information was current as of Aug. 30, 2005, according to a company news release, and includes data describing employees of Neiman Marcus Stores, Neiman Marcus Direct, Bergdorf Goodman, Horchow, Horchow Finale, Last Call, Chef’s Catalog and Contempo Casuals, according to the statement.
Chairman and CEO Burt Tansky noted in a letter to employees that the company has no indication that the personal information has been accessed.
Local law enforcement have been notified of the incident, according to Tansky, who urged affected employees to closely monitor their credit.
The company is offering affected employees a year's worth of Equifax credit monitoring service.
"Like you, the Neiman Marcus group takes this matter very seriously," he said. "We are presently reviewing the facts and circumstances leading to this potential loss of privacy of your information, and if appropriate, will take steps to enhance security protocols regarding the handling of our employees’ information by third-party vendors. We will do everything we can to prevent a recurrence."
Ginger Reeder, a Neiman Marcus spokeswoman, told SCMagazine.com today that the company is assuming the third party did not encrypt the data, despite Neiman Marcus policy to encrypt and password protect all data.
Tansky also warned employees that they may be targeted by phishing scams.
"Please note that people falsely identifying themselves as Neiman Marcus Group representatives could contact you and offer ‘assistance,’" he said. "I urge you not to release personal information in response to contacts of this nature."
Melissa Ngo, staff counsel at the Electronic Privacy Information Center, told SCMagazine.com today that firms must ensure protection of customer and employee information, even in the hands of third-party firms.
"It’s basically the same as it’s always been. When the data isn’t protected, there is no internal control for the information, or for the third parties who have the information. This is your data, and no matter who you give it to, you’re still supposed to protect it," she said. "Another problem is that some people keep saying that there shouldn’t be breach notifications because breaches have become so common. But if it’s my information, I want to know what happened and if I’m at risk."
Paul Stephens, policy analyst for the Privacy Rights Clearinghouse, told SCMagazine.com today that companies must go beyond policy, and train employees to properly encrypt data in accordance with those policies.
"There are two issues here: There are corporate policies, and there is compliance with corporate policies. Some companies have good intentions, but they don’t train their employees to work in compliance with the policies," he said. "And this is a point we keep raising to the media, that there needs to be awareness of the proper encryption of data."
Frank Washkuch Jr. Apr 25 2007 19:12
The latest retailer to suffer a data breach: Neiman Marcus.
A third-party consultant on April 5 discovered the computer equipment containing the personal information of 160,000 current and former employees was stolen, according to an announcement from the Dallas-based parent chain Neiman Marcus group.
A smorgasbord of personal information is available on the stolen hardware, including names, addresses, Social Security numbers, dates of birth, periods of employment, salary information and some pension information, according to statements from Neiman Marcus.
The information may have been unencrypted, and could be used in phishing schemes, according to company officials.
The employee information was current as of Aug. 30, 2005, according to a company news release, and includes data describing employees of Neiman Marcus Stores, Neiman Marcus Direct, Bergdorf Goodman, Horchow, Horchow Finale, Last Call, Chef’s Catalog and Contempo Casuals, according to the statement.
Chairman and CEO Burt Tansky noted in a letter to employees that the company has no indication that the personal information has been accessed.
Local law enforcement have been notified of the incident, according to Tansky, who urged affected employees to closely monitor their credit.
The company is offering affected employees a year's worth of Equifax credit monitoring service.
"Like you, the Neiman Marcus group takes this matter very seriously," he said. "We are presently reviewing the facts and circumstances leading to this potential loss of privacy of your information, and if appropriate, will take steps to enhance security protocols regarding the handling of our employees’ information by third-party vendors. We will do everything we can to prevent a recurrence."
Ginger Reeder, a Neiman Marcus spokeswoman, told SCMagazine.com today that the company is assuming the third party did not encrypt the data, despite Neiman Marcus policy to encrypt and password protect all data.
Tansky also warned employees that they may be targeted by phishing scams.
"Please note that people falsely identifying themselves as Neiman Marcus Group representatives could contact you and offer ‘assistance,’" he said. "I urge you not to release personal information in response to contacts of this nature."
Melissa Ngo, staff counsel at the Electronic Privacy Information Center, told SCMagazine.com today that firms must ensure protection of customer and employee information, even in the hands of third-party firms.
"It’s basically the same as it’s always been. When the data isn’t protected, there is no internal control for the information, or for the third parties who have the information. This is your data, and no matter who you give it to, you’re still supposed to protect it," she said. "Another problem is that some people keep saying that there shouldn’t be breach notifications because breaches have become so common. But if it’s my information, I want to know what happened and if I’m at risk."
Paul Stephens, policy analyst for the Privacy Rights Clearinghouse, told SCMagazine.com today that companies must go beyond policy, and train employees to properly encrypt data in accordance with those policies.
"There are two issues here: There are corporate policies, and there is compliance with corporate policies. Some companies have good intentions, but they don’t train their employees to work in compliance with the policies," he said. "And this is a point we keep raising to the media, that there needs to be awareness of the proper encryption of data."
Labels: Neiman Marcus
Thursday, May 10, 2007
Computer with sensitive Neiman Marcus employee information reported stolen
Computer with sensitive Neiman Marcus employee information reported stolen
Pension data about 160,000 individuals could be at risk
By Cara Garretson, Network World, 04/24/07
Neiman Marcus Group of Dallas announced Tuesday computer equipment containing sensitive employee information was stolen earlier this month from a third-party pension benefits plan consultant.
The company, which operates high-end retailers such as Neiman Marcus and Bergdorf Goodman, says it has no reason to believe the data stored on the computer was the target of the theft, or that the information has been misused.
Among the information stored on the stolen equipment are names, addresses, birthdates, Social Security numbers and salary information about 160,000 current and former Neiman Marcus Group employees and individuals participating in the group’s pension plan. The information was current as of August 2005.
Local law enforcement is working with Neiman Marcus’ security group to investigate the theft, officials say. The theft occurred on April 5, according to a company letter, but law enforcement just this week allowed Neiman Marcus to make the theft public, as officials no longer believe doing so would impede the investigation.
The company is contacting individuals whose information may have been stored on the stolen computer, recommending they monitor their credit reports, and will report updates to the situation here.
This latest incident of exposing individuals to identity theft caused by lost or stolen computer equipment follows a number of high-profile examples, including Johns Hopkins University and Johns Hopkins Hospital’s loss of nine back-up tapes containing sensitive information about 135,000 individuals; a laptop stolen from a Boeing employee’s car with sensitive data about 382,000 current and former workers, and the theft of a laptop and storage device from a U.S. Department of Veteran Affairs employee’s home, potentially exposing 26 million active and reserve service members.
Pension data about 160,000 individuals could be at risk
By Cara Garretson, Network World, 04/24/07
Neiman Marcus Group of Dallas announced Tuesday computer equipment containing sensitive employee information was stolen earlier this month from a third-party pension benefits plan consultant.
The company, which operates high-end retailers such as Neiman Marcus and Bergdorf Goodman, says it has no reason to believe the data stored on the computer was the target of the theft, or that the information has been misused.
Among the information stored on the stolen equipment are names, addresses, birthdates, Social Security numbers and salary information about 160,000 current and former Neiman Marcus Group employees and individuals participating in the group’s pension plan. The information was current as of August 2005.
Local law enforcement is working with Neiman Marcus’ security group to investigate the theft, officials say. The theft occurred on April 5, according to a company letter, but law enforcement just this week allowed Neiman Marcus to make the theft public, as officials no longer believe doing so would impede the investigation.
The company is contacting individuals whose information may have been stored on the stolen computer, recommending they monitor their credit reports, and will report updates to the situation here.
This latest incident of exposing individuals to identity theft caused by lost or stolen computer equipment follows a number of high-profile examples, including Johns Hopkins University and Johns Hopkins Hospital’s loss of nine back-up tapes containing sensitive information about 135,000 individuals; a laptop stolen from a Boeing employee’s car with sensitive data about 382,000 current and former workers, and the theft of a laptop and storage device from a U.S. Department of Veteran Affairs employee’s home, potentially exposing 26 million active and reserve service members.
Labels: Neiman Marcus
