Neiman Marcus, the Dallas-based chain of luxury department stores, has agreed to pay $1.5 million in compensation to the 43 states affected by a 2013 data breach, announced Texas Attorney General Ken Paxton on Tuesday.
This sum is significantly lower than Target’s settlement of $18.5 million following that retailer’s data breach in the same year, which was estimated to have costed $150 million.
A nation-wide investigation concluded that, in 2013, a third-party gained unauthorized access to 370,000 credit and debit cards used at 77 Neiman Marcus stores from multiple states. The breach went undetected for three months and was publicly announced in January of 2014. Some 9,200 cards were used for illicit purposes, said Paxton.
“Texas law requires businesses to implement and maintain reasonable safeguards against cyberattacks to protect consumers’ personal information from unlawful use or disclosure,” he said. “I urge companies to evaluate whether they have in place a thorough and ongoing written information security program that serves to safeguard their customers’ information.”
The retailer also has to strengthen security and implement a clear policy to fend off attacks and protect customer data. An information security assessment and report from a third party is also required.
Neiman Marcus is not the only luxury department store to expose its customers’ financial data or personal information. In 2018, Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores also fell victim to unauthorized intrusions that affected their customers.