Breach at Neiman Marcus went undetected from July to December
The computer network at Neiman Marcus was penetrated by hackers as far back as July, and the breach was not fully contained until Sunday, according to people briefed on the investigation.
The company disclosed the data theft of customer information late last week, saying it first learned in mid-December of suspicious activity that involved credit cards used at its stores. It issued another notice on Thursday, elaborating slightly.
(Read more: US credit cards 'weakest link' for hackers: CEO)
The latest notice said that "some of our customers' payment cards were used fraudulently after making purchases at our stores. We have taken steps to notify those affected customers for whom we have contact information."
The company apologized again, and said it did not believe the customers' Social Security numbers or birth dates —key pieces of personal data — had been compromised.
(Read more: Why Target's partners may pay millions for breach)
Neiman Marcus defended its decision not to disclose anything until last week, saying it waited to confirm evidence. The company said nothing about when the attack began and when it was contained.
In a call with credit card companies on Monday, though, Neiman acknowledged that the attack had only been fully contained a day earlier, and that the time stamp on the first intrusion was in mid-July, people briefed on the call said, speaking on the condition of anonymity because of the investigation.
The issue at Neiman appears to have gone on for significantly longer than the widespread attack on Target. In Target's case, however, the data that was stolen appears to be much more significant and ripe for fraud. Target has said card numbers from 40 million customers were stolen, along with encrypted PINs for debit cards. It also estimated that other personal information belonging to 70 million people had been stolen by the hackers.
Neiman Marcus said on Thursday that it had "no knowledge of any connection" between its data breach and Target's.
Neiman has not publicly given any estimate of how many credit card numbers were stolen, or how many customers were affected. But it noted that it does not collect PINs in its stores.
(Read more: 5 lessons learned from the Target security breach)
The company only publicly acknowledged the data breach last Friday after facing inquiries from a journalist specializing in computer security, Brian Krebs.
But Neiman had told credit card companies around Christmas, in an industry phone call, that it had evidence that creditcards used at Neiman Marcus were being used to make fraudulent purchases,people who were briefed on those phone calls said.
Neiman has faced criticism for not telling customers about the breach sooner. Target informed its customers about its attack within a few days of learning about it for the first time, pushed also by inquiries from Mr. Krebs. Target's acknowledgment came right before the final holiday shopping weekend, and put a significant dent in Target's sales in the final seasonal rush.
Some people briefed on the investigation questioned Neiman's decision not to disclose anything to the public until the shopping season was over.
One person briefed by law enforcement on the investigation noted: "January 1 is conveniently timed after the holiday season."
A spokeswoman for Neiman Marcus, Ginger Reeder, asserted on Thursday that the holiday season had nothing to do with its decision.
(Read more: US charges six in biggest credit card hack on record)
In its notice on Thursday, the company said: "We quickly began our investigation and hired a forensic investigator.Our forensic investigator discovered evidence on Jan. 1st that a criminal cybersecurity intrusion had occurred. The forensic and criminal investigations continue." Neiman said it would provide customers with one free year of credit monitoring, similar to what Target has offered.
A growing group of state attorneys general, including those from Connecticut, New York and Illinois, are jointly investigating both the Target and Neiman Marcus breaches.
The authorities are examining whether the two attacks are related. Both appear to have been committed by criminal groups in Eastern Europe, people briefed on the investigation said.