Neiman Marcus, the Dallas-based chain of luxury department stores, has agreed to pay $1.5 million in compensation to the 43 states affected by a 2013 data breach, announced Texas Attorney General Ken Paxton on Tuesday.

This sum is significantly lower
than Target’s
settlement of $18.5 million
following that retailer’s data breach in the
same year, which was estimated to have costed $150 million.

A nation-wide investigation
concluded that, in 2013, a third-party gained unauthorized access to 370,000
credit and debit cards used at 77 Neiman Marcus stores from multiple states.
The breach went undetected for three months and was publicly announced in January
of 2014. Some 9,200 cards were used for illicit purposes, said Paxton.

“Texas law requires businesses to
implement and maintain reasonable safeguards against cyberattacks to protect
consumers’ personal information from unlawful use or disclosure,” he said. “I
urge companies to evaluate whether they have in place a thorough and ongoing
written information security program that serves to safeguard their customers’
information.”

The retailer also has to
strengthen security and implement a clear policy to fend off attacks and protect
customer data. An information security assessment and report from a third party
is also required.

Neiman Marcus is not the only
luxury department store to expose its customers’ financial data or personal
information. In 2018, Saks Fifth Avenue, Saks Off 5th and Lord & Taylor
stores also fell victim to unauthorized intrusions that affected their
customers.