Neiman Marcus Facing Class Action Lawsuit Over 2024 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit alleges the Neiman Marcus Group LLC is responsible for a 2024 data breach that reportedly affected millions of customers and employees.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 37-page data breach lawsuit says that beginning around April 14 of this year, hackers targeted a cloud storage service called Snowflake that Neiman Marcus uses to store customer data. The intrusion went undetected until around May 24, the complaint claims.

According to the case, the cyberattack compromised individuals’ names, credit and debit card numbers, emails, addresses, phone numbers, dates of birth, partial Social Security numbers, employee identification numbers and transaction data.

A threat actor that goes by the alias Sp1d3r has claimed responsibility for the breach, stating in an online forum that victims’ private information had been put up for sale for $150,000 after Neiman Marcus refused to meet the hacker’s ransom demands, the filing states. Affected individuals such as the plaintiff, a New Jersey resident and frequent shopper at Neiman Marcus, now face a high risk of identity theft, fraud and other cybercrimes, the lawsuit stresses.

In fact, the plaintiff says she received a notification in May 2024 indicating that her personal data had been found on the dark web. Since then, the woman has experienced several anomalies on her credit profile, phishing attacks, and attempts to hack into her financial accounts, the Neiman Marcus data breach lawsuit says.

“[The] defendant could have prevented this data breach,” the case alleges, claiming that the attack stemmed from Neiman Marcus’ failure to comply with industry standards for data security. More specifically, the suit says, the luxury retailer still relies upon a “dangerously insecure” single-factor authentication method—i.e., usernames and passwords—to allow users into its database of customer information.

The filing contends that, unlike Neiman Marcus, “the rest of the civilized world” uses multi-factor authentication and other modern security protocols to protect consumers’ sensitive information from unauthorized access.

“Upon information and belief, its data storage partner, Snowflake, offered [multi-factor authentication] as an option to safeguard the Class Member’s [sic] Customer Data held at [Neiman Marcus’] behest,” the case alleges. “[The defendant], however, declined the use of [multi-factor authentication] and instead opted to rely upon outdated, antiquated, and insecure single-factor authentication to secure this data.”

Per the complaint, Neiman Marcus began notifying victims of the breach around June 24, 2024. The retailer has reported to the Maine Attorney General’s Office that only 64,472 individuals were impacted by the attack, but analysts say the incident exposed the email addresses of more than 31 million people, the filing relays.

The lawsuit looks to represent anyone in the United States who made a credit or debit card purchase with any affected Neiman Marcus Group business during the period of the data breach.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.