3rd Party Risk Management , Cybercrime , Fraud Management & Cybercrime

Luxury Retailer Neiman Marcus Suffers Snowflake Breach

More Victims of Campaign Against Data Warehousing Platform Snowflake Come to Light
Luxury Retailer Neiman Marcus Suffers Snowflake Breach
Attention Neiman Marcus shoppers: Your contact information may be for sale on a criminal forum. (Image: Shutterstock)

Luxury department store retailer Neiman Marcus Group is the latest organization to report a data breach due to attackers accessing its account at cloud-based data warehousing platform provider Snowflake.

See Also: Cyber Insurance Assessment Readiness Checklist

In a data breach notification, privately held Neiman Marcus Group said it is notifying nearly 65,000 shoppers that an attacker stole their "personal information."

Neiman Marcus Group, based in Dallas, comprises 36 Neiman Marcus stores, two Bergdorf Goodman stores and five Last Call outlet stores - plus online sites.

"Neiman Marcus Group recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake," a Neiman Marcus Group company spokesperson told Information Security Media Group.

The company said the breach began April 14 and became apparent on May 24. During that period, the attacker stole data including customers' name, contact details, birthdate and gift card numbers, although without the PIN codes needed to redeem them. The company said the gift cards remain valid.

"Promptly after discovering the incident, NMG took steps to contain it, including by disabling access to the platform," the spokesperson said, adding that the company brought in external cybersecurity advisers to assist with its investigation.

NMG has been owned since 2021 by a group of investment firms: Pacific Investment Management, aka PIMCO; Sixth Street Partners; and Davidson Kempner Capital Management. In late 2023, NMG walked away from a $3 billion merger offer from rival luxury retailer Saks Fifth Avenue, The Wall Street Journal reported.

This isn't the first data breach Neiman Marcus has suffered. In May 2020, the retailer notified 4.6 million online customers that hackers stole usernames, passwords, security questions and payment card details.

Snowflake Breach Victims

The breach of Snowflake accounts appears to have affected about 165 customer accounts. While most have not yet been publicly named, other known victims include Live Nation Entertainment's Ticketmaster, Santander Bank, automotive parts supplier Advance Auto Parts and the Los Angeles Unified School District (see: Victims of Snowflake Data Breach Receive Ransom Demands).

The first public reports of breached Snowflake accounts arrived on May 30, after Ticketmaster's data appeared for sale on criminal website BreachForums.

Snowflake, in a joint statement with CrowdStrike and Mandiant, said attackers used stolen username and password pairs to breach Snowflake accounts for which administrators hadn't enabled multifactor authentication. "As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through info-stealing malware," they said (see: Alert: Info Stealers Target Stored Browser Credentials).

The joint statement says attackers only breached Snowflake accounts that accountholders weren't protecting with multifactor authentication, which Snowflake only offered via a version of Cisco's Duo that it self-managed. Snowflake subsequently introduced more ways for organizations to enable their Snowflake users to access MFA capabilities, and it said it plans to allow administrators to make MFA mandatory.

Mandiant said it's been tracking the crime group involved in the Snowflake-targeting attacks, which has the codename UNC5537, since it first detected the campaign in April. The firm recently reported that UNC5537 has been "using stolen customer data to extort victims, and simultaneously attempting to sell the data on cybercriminal forums."

Stolen Data Advertised for Sale

Hours after Neiman Marcus publicly disclosed the breach, a user on the BreachForums data leak site with the handle "Sp1d3r" listed the retailer's data for sale, seeking $150,000 for the set. Sp1d3r said his attempt to extort the retailer into paying a ransom in return for a promise to leak the data had failed.

The BreachForums advertisement by Sp1d3r contains inconsistencies. Beyond claiming the stolen data includes the last four digits of customers' Social Security numbers, the advertisement says exfiltrated data pertains to 180 million users, including details of "70 million transactions" (see: Ransomware Groups: Trust Us. Uh, Don't.).

The advertisement also name-drops "rapeflake" - tracked as "Frostbite" by Mandiant - a malicious utility that attackers used to gain initial access to at least some of the breached Snowflake accounts. The utility targets SnowSight, which can target Snowflake's web-based user interface and the SnowSQL command-line interface tool.

Sp1d3r has been hawking data stolen from multiple Snowflake victims, including from Advance Auto Parts and Ticketmaster. He claimed to Bleeping Computer that at least some of his group's Snowflake victims paid a ransom.

It isn't clear whether Sp1d3r is advertising the stolen data because someone might buy it or to try and pressure victims past, present and future into paying a ransom.

Another victim of the Snowflake campaign is the Los Angeles Unified School District. On June 6, after stolen LAUSD data appeared for sale, the district warned that an attacker had stolen "student and employee data." After Sp1d3r on June 18 began listing the information for sale - including students' names, addresses, grades and other details - LAUSD told Bleeping Computer the information was stolen from its Snowflake account. Sp1d3r subsequently offered the stolen data for free download.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.