To our loyal Neiman Marcus Group customers:

As the investigation into our cyber security incident continues, I want to provide you with an update. Your trust in us is our absolute priority.

As always, we want you to feel confident shopping at Neiman Marcus. What I said in my prior message to you remains the same: there is NO indication
• that Social Security numbers and birth dates were compromised
• that our Neiman Marcus cards have been used fraudulently
• that any online customers were impacted
• that any PINs were at risk since we do not use PIN pads in our stores

We do know, and our forensic reports have confirmed, that malicious software (malware) was clandestinely installed on our system and that it attempted to collect or "scrape" payment card data from July 16, 2013 to October 30, 2013. I reported last time that approximately 1,100,000 customer payment cards could have been potentially visible to the malware.

Our investigation has now determined that the number of potentially affected payments cards is lower—approximately 350,000. The number has decreased because the investigation has established that the malware was not operating at all our stores, nor was it operating every day in those affected stores, during the July 16 -October 30 period. Of the 350,000 payment cards that may have been affected by the malware in our system, Visa, MasterCard and Discover have notified us to date that approximately 9,200 of those were subsequently used fraudulently elsewhere.

Regardless of whether or not your card was affected, we have notified customers for whom we have mailing and/or e-mail addresses who shopped with us either in-store or online in 2013.

For over a century, our company's mission has been dedicated to delivering exceptional service to each of our customers, and responding properly to this attack is our top priority. Our goal is to do everything possible to restore your trust and to earn your loyalty.

Sincerely,

Karen Katz
President and CEO
Neiman Marcus Group
June 15, 2014


General Q&A

1. How long has Neiman Marcus known about this?

2. Was Neiman Marcus the victim of a data breach?

3. What was the date range?

4. How many cards were affected?

5. Was PIN data taken or accessed?

6. Has the potential security issue been resolved?

7. Which Neiman Marcus Group stores were affected?

8. Did this incident affect customers that shopped online?

9. What types of cards were affected?

10. Were Neiman Marcus or Bergdorf Goodman private label cards used fraudulently?

11. Is this issue linked in any way to the breach at Target?

Customer Guidance

12. What are some of the steps customers concerned about this loss of payment card information can take?

13. Should consumers contact Neiman Marcus or Bergdorf Goodman if their cards were affected?

14. Will consumers be liable for fraudulent charges?



1. How long has Neiman Marcus known about this?

On January 1st, a leading forensics firm first discovered evidence suggesting that the company may have been the victim of a criminal cyber-security intrusion. This was confirmed in subsequent days as the sophisticated, self-concealing software, known as "malware", was decrypted and analyzed.




2. Was Neiman Marcus the victim of a data breach?

Neiman Marcus was informed by our merchant processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and began working actively with the U.S. Secret Service, the payment brands, our merchant processor, a leading investigations, intelligence and risk management firm, and a leading payment brand approved forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence suggesting that the company was the victim of a criminal cyber-security intrusion. This was confirmed in subsequent days as the sophisticated, self-concealing malware was decrypted and analyzed, and a determination was made that some customers' cards were possibly compromised as a result. By January 10th, the malicious software we found had been disabled.



3. What was the date range?

Based upon the forensic information we have received, it appears that sophisticated, self-concealing malware, capable of fraudulently obtaining payment card information, was active between July 16 and October 30, 2013. Other malware associated with the attack, but not capable of scraping card data, was found to be in the environment as early as March.



4. How many cards were affected?

While the forensic and criminal investigations are ongoing, we know that malware that collected or "scraped" credit card data was clandestinely installed on our system. The forensic report confirms that the malware was operating from July 16, 2013 to October 30, 2013. During those months, approximately 350,000 (down from 1.1 million) customer payment cards could have potentially been visible to the malware at the stores and dates where the malware was operating. Of these cards, Visa, MasterCard, and Discover have notified us to date that approximately 9,200 were subsequently used fraudulently elsewhere.



5. Was PIN data taken or accessed?

Your PIN was never at risk because we do not use PIN pads in our stores.



6. Has the potential security issue been resolved?

We are taking a number of steps to contain the situation in all our stores including:

• We have disabled the malware we discovered in the course of our investigation
• We are working directly with federal law enforcement in its investigation
• We are conducting a full review of all of our payment card information systems and vulnerability assessment with the payment card brands, our merchant processor, a leading investigations, intelligence and risk management firm, and a leading, payment brand approved forensics firm
• We are reviewing our intrusion detection systems and firewalls
• We are reinforcing our security tools
• We are reviewing and hardening our systems
• We are modifying our software and security credentials



7. Which Neiman Marcus Group stores were affected?

The forensic investigation has determined that this malware was operating at 77 of our stores, and was not operating at 8 of our stores. At these 77 stores, the malware was not operating at every register or every day during the July 16 - October 30 period.



8. Did this incident affect customers that shopped online?

The forensic investigation has not uncovered any evidence to indicate that the criminal cyber-security intrusion impacted customers that shopped online.



9. What types of cards were affected?

We have been able to determine that both credit and debit cards have been impacted.



10. Were Neiman Marcus private label cards used fraudulently?

As of February 18, 2014, we have not been informed of any fraudulent activity on our Neiman Marcus or Bergdorf Goodman cards as a result of this cyber crime. If you are concerned about your Neiman Marcus card, please contact your nearest Neiman Marcus store or call our credit office at 1.800.685.6695.




11. Is this issue linked in any way to the breach at Target?

We have no knowledge of any connection to that situation.



12. What are some of the steps customers concerned about this loss of payment card information can take?

There are several other steps you can take if you are concerned about fraudulent activity.

Check your statements to see if there is any fraudulent or suspicious activity. If there is any unauthorized activity, call your bank or financial institution in order to report the issue.

Consumers may consider placing a fraud alert on their credit reports to help mitigate potential issues. To do this, you will need to contact one of the three credit reporting agencies.

Equifax: 1.800.525.6285
Experian: 1.888.397.3742
TransUnion: 1.800.680.7289

You can order your credit reports for free from all three credit bureaus once a year. You can do this online at www.annualcreditreport.com, or by phone at 1-877-322-8228.

Finally, be on the lookout for phishing schemes. Our email correspondence regarding this incident will not contain any links, so if you receive an email appearing to be from us that contains a link, it is not from us, and don't click on the link. Also, never provide sensitive information to unsolicited requests claiming to come from us, your bank or other institutions. We would never ask you for sensitive information via email.




13. Should consumers contact Neiman Marcus or Bergdorf Goodman if their cards were affected?

If you are concerned about your Neiman Marcus or Bergdorf Goodman card, please call our credit office at 1.800.685.6695. Other cardholders should contact the bank or financial institution that issued their cards about any fraudulent activity. Contact information can be found on the back of their payment cards. They are best suited for helping to resolve any unauthorized charges.




14. Will consumers be liable for fraudulent charges?

The policies of the payment brands such as Visa, MasterCard, American Express, Discover and the Neiman Marcus card provide that you have zero liability for any unauthorized charges if you report them in a timely manner. Please contact your card brand or issuing bank for more information about the policy that applies to you.




U.S. State Notification Requirements

For additional information, you may contact Neiman Marcus' hotline at 1.866.579.2216, or visit our informational website accessible from our home page.



For residents of California, Hawaii, Illinois, Iowa, Maryland, Michigan, Missouri, North Carolina, Oregon, Vermont, Virginia, West Virginia, and Wyoming:

It is recommended by state law that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorized activity. You may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account by contacting any one or more of the national consumer reporting agencies listed below. They can also provide you with information about fraud alerts and security freezes.
  • Equifax:
    P.O. Box 740241
    Atlanta, GA 30348
    1.800.685.1111
    www.equifax.com

  • Experian: P.O. Box 2104
    Allen, TX 75013
    1.888.397.3742
    www.experian.com

  • TransUnion: P.O. Box 6790
    Fullerton, CA 92834-6790
    1.877.322.8228
    www.transunion.com




For residents of Iowa:

State law advises you to report any suspected identity theft to law enforcement or to the Attorney General.


For residents of Oregon:

State laws advise you to report any suspected identity theft to law enforcement, as well as the Federal Trade Commission.


For residents of Illinois, Maryland and North Carolina:

State laws require us to tell you that you can obtain information from the Federal Trade Commission about steps you can take to avoid identity theft (including how to place a fraud alert or security freeze). If you are a Maryland or North Carolina resident, you may also be able to obtain this information from your state's Attorney General.
  • MD Attorney General's Office
    Consumer Protection Division
    200 St. Paul Place
    Baltimore, MD 21202
    1.888.743.0023
    www.oag.state.md.us

  • NC Attorney General's Office
    Consumer Protection Division
    9001 Mail Service Center
    Raleigh, NC 27699-9001
    1.877.566.7226
    http://www.ncdoj.gov/

  • Federal Trade Commission
    Consumer Response Center
    600 Pennsylvania Avenue, NW
    Washington, DC 20580
    1.877.IDTHEFT (438.4338)
    www.ftc.gov/bcp/edu/microsites/idtheft/



For residents of Massachusetts and West Virginia:

State laws require us to inform you of your right to obtain a police report if you are a victim of identity theft. You also have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent; however, using a security freeze may delay your ability to obtain credit.

To place a security freeze on your credit report, you need to send a request to a consumer reporting agency by certified mail, overnight mail, or regular stamped mail. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. The consumer reporting agency may charge a fee of up to $5.00 to place a freeze or lift or remove a freeze, unless you are a victim of identity theft or the spouse of a victim of identity theft, and you have submitted a valid police report relating to the identity theft incident to the consumer reporting agency.

  • Equifax Security Freeze
    P.O. Box 105788
    Atlanta, GA 30348
    www.equifax.com

  • Experian Security Freeze
    P.O. Box 9554
    Allen, TX 75013
    www.experian.com

  • TransUnion (FVAD)
    P.O. Box 6790
    Fullerton, CA 92834-6790
    www.transunion.com





UPDATED JUNE 15, 2014