BROOKLYN (CN) - Neiman Marcus waited for weeks to tell its customers their credit and debit card information may have been stolen, a class action claims in Federal Court.
Lead plaintiff Melissa Frank claims her debit card information was stolen in December and fraudulent charges were run up on it-but Neiman Marcus did not tell its customers about the hack attack until Jan. 10.
And, as in the well-publicized Target fiasco , Neiman Marcus did not publicize the attack, but a blogger was the first to alert the public, Frank says in the lawsuit.
The same blogger - krebsonsecurity.com - alerted customers in both cases, the complaint states. She claims Krebs posted the warning on Jan. 10, "before Neiman Marcus made any attempt whatsoever to notify affected customers."
Frank claims the data breach affected an "undisclosed number of credit and debit cards swiped at U.S. Neiman Marcus stores, including 'Last Call' outlets, between Dec. 15, 2013 and Jan. 1, 2014."
The lawsuit does not estimate the number of cards that may have been compromised, but Frank says that "millions of Americans regularly shop at Neiman Marcus stores," and claims the damage exceeds $5 million.
After Krebs revealed the data breach, Frank says in the lawsuit, Neiman Marcus acknowledged that customers' names, credit and debt card numbers, expiration dates, PINs and the embedded code on the magnetic strip on the back of cards had been stolen.
But the high-end retailer simply posted a statement on its Twitter account, "not on the shopping site regularly accessed by customers on Jan. 10, 2014, vaguely indicating: 'The security of our customers' information is always a priority and we sincerely regret any inconvenience;' and 'We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores,'" according to the complaint.
Neiman Marcus did not immediately respond to a request for comment Monday night.
Frank claims Neiman Marcus "failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach,"
She seeks class certification and damages for negligence, invasion of privacy, bailment and conversion.
She is represented by Wendy R. Stein.