Neiman Marcus Agrees To Pay $1.6M To Settle 2013 Data Breach Class Action Lawsuit

Image courtesy of Adam Fagen

Three years after Neiman Marcus disclosed that it had become the victim of a hack attack in 2013, exposing the credit card information of more than 350,000 customers, the upscale retailer has reached a $1.6 million settlement in the subsequent class action lawsuit. 

The settlement [PDF], which was entered Friday in Illinois District Court, puts an end to a three-year long court battle between the retailer and its customers.

The lawsuit, which was first filed in March 2014, claimed that Neiman Marcus failed to notify customers of the hack immediately after being informed of the issue by credit card processor in mid-December. Instead, the company did not reveal the hack until Jan. 10.

According to the lawsuit [PDF], between July 16 and Oct. 30, 2013 malicious software contained on the payment systems used by Neiman Marcus attempted to collect the payment data of 1.1 million customers. However, in Feb. 2014, Neiman Marcus updated its estimates determining that only 350,000 customer were affected by the hack, with 9,200 of those customers’ accounts ultimately being used fraudulently.

“Neiman Marcus’ security failures enabled the hackers to steal financial data from within Neiman Marcus’ stores and, on information and belief, subsequently make unauthorized purchases on customers’ credit cards and otherwise put Class members’ financial information at serious and ongoing risk,” the suit states.

Under the proposed settlement, Neiman Marcus would provide reimbursements to any U.S. resident who held a credit card or debit card account that as used at a Neiman Marcus store between July 16, 2013 and Jan. 10, 2014.

In order to be considered for the settlement, consumers must file a claim. The Dallas Morning News reports that a notice to file claims will be sent to the approximately 640,000 settlement class members soon.

The settlement also notes that Neiman Marcus has changed its business practices to strengthen its information technology security.