The security breach at Neiman Marcus, which wasn’t acknowledged officially until a few days ago, went on for much longer than initially believed, the New York Times reports. While the retail store is yet to confirm to the public when the system was first hacked, it told credit card companies in a conference call on Monday that it all started in mid-July and that it wasn’t fully contained until Sunday, unnamed sources revealed. In its initial disclosure to the public, Neiman Marcus said it first learned about the breach in mid-December although it only decided to reveal it in January. In its notes to customers, the retailer said that key personal data, including Social Security numbers and birth dates, were not compromised. Furthermore, the company said that it doesn’t collect card PINs in its stores, and that it had “no knowledge of any connection” between the Target hack and the one it suffered. The retail chain is yet to reveal how many credit and debit cards were compromised during the attack.

In a letter to consumers, Neiman Marcus chief executive Karen Katz apologized for the data breach, the Washington Post reports. “We deeply regret and we are very sorry that some of our customers’ payment cards were used fraudulently after making purchases at our stores,” she said. ” We want you always to feel confident shopping at Neiman Marcus and your trust in us is our absolute priority.” The exec added that the company will provide a free year of credit monitoring to any customer who used a card at Neiman Marcus stores last year.

Even so, the company was criticized for not disclosing the matter sooner, before the holiday shopping season was over. Neiman Marcus told credit card companies around Christmas in an industry phone call that it had evidence it system was breached but chose not to reveal the hack until January. The company now says that the holiday season had nothing to do with the decision to disclose the heck to the public. “We quickly began our investigation and hired a forensic investigator. Our forensic investigator discovered evidence on January 1 that a criminal cyber security intrusion had occurred,“ a spokeswoman said. ”the forensic and criminal investigations continue.”