Hackers breached the computer networks of luxury department store chain Neiman Marcus as far back as July, an attack that was not fully contained until Sunday, the New York Times reported, citing people briefed on the investigation.
Neiman Marcus said on Friday that hackers may have stolen customers' credit and debit card information, the second cyber attack on a retailer in recent weeks.
Neiman Marcus had said it first learned in mid-December of suspicious activity that involved credit cards used at its stores.
However, in a call with credit card companies on Monday, Neiman acknowledged that the attack had only been fully contained a day earlier, and that the time stamp on the first intrusion was in mid-July, the paper said.
Neiman Marcus spokeswoman Ginger Reeder declined to comment to Reuters on the New York Times report about the July hack attack.
"We did not get our first alert that there might be something wrong until mid-December. We didn't find evidence until Jan. 1," Reeder told Reuters late on Thursday.
Neiman Marcus did not say how many credit cards were affected but said that customer social security numbers and birth dates were not compromised.
"Customers that shopped online do not appear at this time to have been impacted by the criminal cyber-security intrusion. Your PIN was never at risk because we do not use PIN pads in our stores," Chief Executive Karen Katz wrote in a letter to customers, a copy of which was posted on the company's website.
Katz said the company has taken steps to contain the situation, including working with federal law enforcement, disabling the malware and enhancing security tools.
The company is also assessing and reinforcing its related payment card systems, Katz said.
The U.S. government on Thursday provided merchants with information gleaned from its confidential investigation into the massive data breach at Target Corp, in a move aimed at identifying and thwarting similar attacks that may be ongoing.