Neiman Marcus Group, Twitch, Missouri PSRS/PEERS Make Data Breach News in October

• Neiman Marcus Group (NMG) recently reported a data breach from 2020 that exposed the sensitive information for nearly 4.35 million customers. Compromised information includes payment card numbers, usernames, passwords, and security questions and answers.
• According to Twitch, the live streaming gaming service suffered a data incident after an error in a server configuration change was accessed by a malicious third party. Exposed information includes names, email addresses and buyer comments.  
• The Public School and Education Employee Retirement Systems of Missouri (PSRS/PEERS) suffered a business email compromise (BEC) attack after a criminal gained access to an employee’s email. The attack could have involved sensitive data live Social Security numbers and PSRS/PEERS account numbers. BEC attacks continue to be a popular attack method among identity thieves.
• Anyone impacted by a data breach should follow the advice in the notification letter, change their password to a long and unique passphrase and keep an eye out for phishing attempts that claim to be from the breached organization.
• For more information about October and other recent data breach news, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.  
• If you believe you are a victim of identity theft from a data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

Notable October Data Breaches

Of the 139 data compromises the Identity Theft Resource Center (ITRC) tracked in October, three stand out: Neiman Marcus Group (NMG), Twitch, and The Public School and Education Employee Retirement Systems of Missouri (PSRS/PEERS). The NMG data breach news is significant because it impacted approximately 4.35 million people. The Twitch data event exposed the platform’s database after a server configuration error. The PSRS/PEERS data breach was due to a business email compromise (BEC) attack, making them one of the latest groups hit by that type of attack.

Neiman Marcus Group

According to NMG, the department store company recently learned that an unauthorized party obtained the personal information of about 4.35 million customers after a successful external system breach. NMG says approximately 3.1 million payment and virtual gift cards were affected, more than 85 percent of which are expired or invalid. ISMG Group reports that payment card numbers and expiration dates were exposed, but not the CVVs (the three-digit security codes on the back of a card). Gift card PINs were also not exposed.

No active Neiman Marcus-branded credit cards were affected. The company says that it doesn’t have evidence that online accounts for Bergdorf Goodman or Horchow, which are related brands owned by the group, were affected. However, usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts were also exposed.

Twitch

On October 6, Twitch, a live stream gaming service, reported that some data was exposed due to an error in their server configuration that was accessed by a malicious third party. Nine days later, Twitch said the exposed data included documents from their source code depository, as well as a subset of creator payout data. Passwords and login credentials are not believed to have been exposed.

Threatpost reports that 135 gigabytes of internal information were accessed and that it was not just an attack on Twitch. It was also an attack on Twitch users and their personal information. Threatpost goes on to say that despite Twitch’s failure to find any evidence of exposed user data, the independent researcher shared with PrivacySharks other datastores containing personal data, including a PayPal file with details on more than 1,000 chargebacks made from Twitch to various platforms. The records include full names, email addresses, buyer comments and amounts. 

Twitch says they are contacting anyone who has been impacted directly by the data breach news and that they have taken steps to further secure their service.

The Public School and Education Employee Retirement Systems of Missouri

PSRS/PEERS suffered a data event that led to nearly 350,000 people’s sensitive data being accessed. According to the data breach notice, the incident occurred after an employee’s email address was accessed by an unauthorized person, known as a BEC attack. The notice says the IT department disabled the email within minutes of being notified of the attack. The information involved includes names, dates of birth, PSRS/PEERS account numbers and Social Security numbers (SSN).

The PSRS/PEERS is just the latest to get struck by a BEC attack. The ITRC continues to see criminals turn to BEC attacks because they are easier to commit and have larger payouts.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager, use multi-factor authentication with an app (not SMS/text) and to keep an eye out for phishing attempts that claim to be from the breached organization.  

NMG asks customers affected by their data breach news to contact their financial institution if they detect any suspicious activity on any of their financial accounts. Anyone impacted can call the company’s customer hotline at 866.571.9725 or visit https://www.neimanmarcus.com/2021-customer-online-account-info.

PSRS/PEERS is offering a 24-month membership to Experian’s Identity Works for anyone who might be impacted due to their event. Individuals have until January 31, 2022 to enroll.

notified

For more information about October data breach news, or other data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.   

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, you can speak with an ITRC expert advisor toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.