Fallout From Snowflake Attacks Continues As Neiman Marcus Confirms Data Breach

A threat actor ‘obtained certain personal information’ belonging to more than 60,000 customers and stored in the Snowflake platform, according to Neiman Marcus Group.

Neiman Marcus Group confirmed Tuesday that it’s among the victims impacted by recent widespread cyberattacks targeting Snowflake customers, in an incident that saw data belonging to more than 60,000 customers potentially stolen by threat actors.

In a statement provided to CRN, the luxury retailer identified Snowflake as the provider of a cloud database that attackers were able to compromise.

[Related: Change Healthcare: Patient Data Exposed In Breach Includes Medical Diagnoses, Test Results, Prescriptions]

The confirmation came after a threat actor claimed to be selling stolen Neiman Marcus Group customer data on a hacker forum, according to a post on X and report from BleepingComputer.

In its statement Tuesday, a Neiman Marcus Group spokesperson said the company “recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake.”

The retail giant has been investigating the incident with the help of “leading cybersecurity experts” and has determined that “certain” customer data was affected in the attack.

“Based on our investigation, the unauthorized party obtained certain personal information stored in the platform,” the spokesperson said. “The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card numbers (but without gift card PINs).”

In a breach notice posted by the Maine attorney general website, Neiman Marcus Group disclosed that 64,472 individuals were impacted in the attack. The information was accessed in April and May, the company said.

In response to a request for comment from CRN, a Snowflake spokesperson pointed to an advisory on the company’s website, which was last updated June 10, as the vendor’s latest comments on the attacks.

Growing Fallout

Neiman Marcus Group joins a list of victims of the Snowflake attacks that already included Ticketmaster, Santander Bank, Pure Storage and Advance Auto Parts. The wave of data theft attacks are believed to be utilizing stolen passwords.

Mandiant researchers disclosed earlier this month that an estimated 165 organizations were potentially impacted in the Snowflake-focused attack campaign.

A cybercriminal group has been “suspected to have stolen a significant volume of records from Snowflake customer environments,” researchers at Mandiant, a major incident response firm owned by Google Cloud, said in a post at the time.

Impacted accounts have not been configured with MFA (multifactor authentication), Mandiant researchers confirmed.

Mandiant attributed the attacks to a previously unknown, “financially motivated threat actor” it is now tracking as UNC5537.

The stolen credentials were “primarily obtained from multiple infostealer malware campaigns that infected non-Snowflake owned systems,” Mandiant researchers said.

The attacks began at least as far back as mid-April, Mandiant said.