Specialty retailer The Neiman Marcus Group Inc. yesterday sent letters to nearly 160,000 current and former employees to tell them of a potential breach involving their personal data.
The letters were prompted by the theft of "computer equipment" from a third-party pension plan consultant working for the retailer. The equipment held the data now potentially at risk.
A spokeswoman for the Dallas-based Neiman Marcus said that the company was informed of the theft on April 10 but was asked by law enforcement authorities not to disclose the breach initially.
The data was contained in a file on the stolen equipment and included names, dates of birth, addresses, Social Security numbers, and salary and other information. According to the spokeswoman, security policies at the company from which the data was stolen required for it to have been encrypted. "But we are just assuming it wasn't" and informing affected individuals as a precaution, she said.
The potentially compromised file contained data on employees who joined Neiman Marcus before August 2005. Included in the file was data on employees from Neiman Marcus Stores, Neiman Marcus Direct, Bergdorf Goodman, Horchow, Horchow Finale, Last Call, Chefs Catalog and Contempo Casuals. In addition, those receiving Neiman Marcus pensions were also affected by the theft.
So far, there is nothing to suggest that the information has been misused, the spokeswoman said.
The incident at Neiman Marcus continues a string of such disclosures by numerous retailers and other companies over the past couple of years. In most cases, the disclosures are prompted by state breach disclosure laws that require companies to inform people of data compromises involving personal information -- even if there is little real risk of the compromised data being actually misused.
Analysts believe that most often, thefts involving computer equipment are perpetrated by crooks looking to make money hawking the hardware rather than the data it contains. A yearlong study of about 5,000 U.S. consumers by Pleasanton, Calif.-based analyst firm Javelin Strategy & Research last year, in fact, showed that despite the hype, computer data breaches were responsible for just 6% of all known cases of identity theft. By comparison, losing one's wallet contributed to 30% of reported ID theft cases. Such statistics have prompted some security analysts and industry advocates to call for notification triggers under which companies would be required to disclose breaches only where there is a real threat or evidence that breached data is being misused.
Others, however, argue against such triggers, saying companies would use them to justify not disclosing breaches.