A third-party consultant on 5 April discovered the computer equipment containing the personal information of 160,000 current and former employees was stolen, according to an announcement from the Dallas-based parent chain Neiman Marcus group.
A smorgasbord of personal information is available on the stolen hardware, including names, addresses, Social Security numbers, dates of birth, periods of employment, salary information and some pension information, according to statements from Neiman Marcus.
The information may have been unencrypted, and could be used in phishing schemes, according to company officials.
The employee information was current as of 30 August, 2005, according to a company news release, and includes data describing employees of Neiman Marcus Stores, Neiman Marcus Direct, Bergdorf Goodman, Horchow, Horchow Finale, Last Call, Chef’s Catalog and Contempo Casuals, according to the statement.
Chairman and CEO Burt Tansky noted in a letter to employees that the company has no indication that the personal information has been accessed.
Local law enforcement have been notified of the incident, according to Tansky, who urged affected employees to closely monitor their credit.
The company is offering affected employees a year's worth of Equifax credit monitoring service.
"Like you, the Neiman Marcus group takes this matter very seriously," he said. "We are presently reviewing the facts and circumstances leading to this potential loss of privacy of your information, and if appropriate, will take steps to enhance security protocols regarding the handling of our employees’ information by third-party vendors. We will do everything we can to prevent a recurrence."
Ginger Reeder, a Neiman Marcus spokeswoman, told SCMagazine.com that the company is assuming the third party did not encrypt the data, despite Neiman Marcus policy to encrypt and password protect all data.
Tansky also warned employees that they may be targeted by phishing scams.
"Please note that people falsely identifying themselves as Neiman Marcus Group representatives could contact you and offer ‘assistance,’" he said. "I urge you not to release personal information in response to contacts of this nature."
Melissa Ngo, staff counsel at the Electronic Privacy Information Center, told SCMagazine.com that firms must ensure protection of customer and employee information, even in the hands of third-party firms.
"It’s basically the same as it’s always been. When the data isn’t protected, there is no internal control for the information, or for the third parties who have the information.
This is your data, and no matter who you give it to, you’re still supposed to protect it," she said. "Another problem is that some people keep saying that there shouldn’t be breach notifications because breaches have become so common. But if it’s my information, I want to know what happened and if I’m at risk."
Paul Stephens, policy analyst for the Privacy Rights Clearinghouse, told SCMagazine.com that companies must go beyond policy, and train employees to properly encrypt data in accordance with those policies.
"There are two issues here: There are corporate policies, and there is compliance with corporate policies. Some companies have good intentions, but they don’t train their employees to work in compliance with the policies," he said. "And this is a point we keep raising to the media, that there needs to be awareness of the proper encryption of data."
Affected employees may call a 24-hour-a-day helpline at 1-800-456-7019. Updates will also be provided at http://www.neimanmarcusgroup.com/.
160 000 personal files stolen latest US retailier breach
By Frank Washkuch on Apr 26, 2007 10:04AM