Neiman Marcus Group Ltd., the luxury retailer, said about 1.1 million credit cards may have been compromised in a data breach that occurred last year.
Visa, MasterCard and Discover have notified the Dallas- based department store chain that about 2,400 cards used at its stores between July 16 and Oct. 30 were used fraudulently, according to a statement today. Online shoppers weren't affected, the company said.
Closely held Neiman Marcus is the second U.S. retailer to announce a customer data-security breach. Minneapolis-based Target Corp. has said as many as 110 million customer accounts were compromised during the holiday shopping season by the theft of information including names, home and e-mail addresses as well as credit and debit card data.
On Dec. 17, the chain received a report that about 122 MasterCards had been used in one of its stores, the company said in a Jan. 22 letter to Senator Richard Blumenthal, a Democrat from Connecticut.
In the following days, the company was sent additional reports from MasterCard Inc. and Visa Inc. that 100 additional cards had been used fraudulently after being used at Neiman Marcus stores. The company started a "thorough" probe.
On Jan. 1, Neiman Marcus learned that "sophisticated, self-concealing malware that can 'scrape' payment card information had been clandestinely introduced into our system," the company said. Neiman Marcus said that it later learned the malware had been inserted as early as July 2013.
In its statement today, the company said it has "taken steps to notify those affected customers for whom we have contact information." The retailer is offering free credit monitoring to affected shoppers.
Neiman Marcus was bought last year by Ares Management LLC and the Canada Pension Plan Investment Board from TPG Capital and Warburg Pincus LLC.