Alistair Barr

USA TODAY

SAN FRANCISCO -- Neiman Marcus said Thursday that about 1.1 million customer credit and debit cards may have been hacked by malicious software.

The sophisticated, self-concealing malware was "clandestinely" installed on the department store operator's system. The software then actively tried to collect or "scrape" payment card data from July 16 to Oct. 30, the company explained.

During that time, about 1.1 million cards "could have been potentially visible to the malware," Neiman CEO Karen Katz wrote in a statement on the company's website.

So far, roughly 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently, the retailer added, citing information it got from payment network operators Visa, MasterCard and Discover Financial Services. Social security numbers and birth dates were not compromised, the company added.

Neiman's disclosure comes in the wake of one of the largest cyber security breaches ever, aimed at Target, the second-largest U.S. retailer. More than 740 million data records were exposed in 2013, making last year the worst on record for cyber breaches.

Neiman said it it was told in mid-December about potential unauthorized payment card activity following customer purchases at its stores. The company told law enforcement agencies and started working with the U.S. Secret Service, payment companies and private investigation and forensics firms.

On Jan 1, the forensics firm first discovered evidence that the retailer was hit by a "criminal cyber-security intrusion," it added.

The malware has been disabled and the forensic investigation and a criminal investigation are continuing, Neiman also said.

The company said it does not know how many of its stores were affected by the breach, but noted that the attack did not hit online shoppers. It also does not know whether the attack was linked to the Target hack.