Neiman Marcus confirmed on Saturday that thieves may have stolen customers' credit and debit card information and made unauthorised charges over the holiday season. The luxury merchant thus became the second retailer in recent weeks to announce it had fallen victim to a cyber-security attack.

The hacking, coming weeks after Target revealed its own breach, underscores the increasing challenges that merchants have in thwarting security breaches. On Friday, Target disclosed that its massive data theft was significantly more extensive and affected millions more shoppers than the company announced in December.

Ginger Reeder, spokeswoman for Dallas-based Neiman Marcus Group Ltd, said in an email on Saturday that the retailer had been notified in mid-December by its credit card processor about potentially unauthorised payment activity following customer purchases at stores. On 1 January, a forensics firm confirmed evidence that the upscale retailer was a victim of a criminal cyber-security intrusion and that some customers' cards were possibly compromised as a result.

Reeder says the retailer, which operates more than 40 upscale stores and clearance stores, is working with the Secret Service. She would not estimate how many customers may be affected but said the merchant was notifying customers whose cards it knew were used fraudulently.

"We have begun to contain the intrusion and have taken significant steps to further enhance information security," Reeder said in an email.

On Friday, Target, the nation's second-largest discounter, said that according to new information gleaned from its investigation with the Secret Service and the Department of Justice, hackers stole personal information – including names, phone numbers, email and mailing addresses – from as many as 70 million customers as part of a data breach it discovered last month.

On 19 December, the Minneapolis-based company announced that some 40m credit and debit card accounts had been affected by a data breach that happened from 27 November to 15 December, just as the holiday shopping season was getting into gear. As part of that announcement, the company said customers' names, credit and debit card numbers, card expiration dates, debit-card PINs and the embedded code on the magnetic strip on the back of cards had been stolen.

Some overlap exists between the 70 million individuals discussed on Friday and the 40m compromised credit and debit accounts announced in December, Target said.

When Target releases a final tally, the theft could become the largest data breach on record for a retailer, surpassing an incident uncovered in 2007 that saw more than 90m records pilfered from TJX Cos.