But the retail chain says online shoppers haven’t been affected.

Criminals who stole data last year at The Neiman Marcus Group Inc. had access to information for 1.1 million customer payment cards, and data from some 2,400 of those cards has been used to commit fraud, president and CEO Karen Katz says today.

So far, though, the breach has not affected online shoppers, and there is no indication that card data have been used for fraudulent online transactions involving the retail chain, No. 39 in the Internet Retailer 2013 Top 500 Guide.

Criminals installed malicious software—malware in the common lingo—to steal customer information, Katz writes in a note posted on NeimanMarcus.com. Criminals took the data between July 16 and Oct. 30, 2013.

The breach involved debit and credit cards, though there is yet no evidence it involved the chain’s private-label cards. Katz says the thieves failed to access the following data: Social Security numbers, birth dates and personal identification numbers for debit cards, as the chain does not accept PIN debit at its stores. It was not immediately clear if the thieves managed to steal the the CVV2 code printed on the back of cards, which many online retailers require to confirm purchases. But the Katz states that “customers that shopped online do not appear to have been impacted.”

E-retailers and processors contacted over the last week by Internet Retailer have reported no uptick in online fraud since both the Neiman Marcus and Target Corp. data breaches nor any official notices from card networks and processors related to the e-commerce threat of those breaches. Target and Neiman Marcus may not have been the only retailers attacked. There are unconfirmed reports that criminals attempt to steal credit and debit card data from six retail chains.


That said, e-retailers are hardly letting down their guard, given the global nature of such data breaches and the marketing and selling of the stolen information to buyers around the world. “We have not received any communications from our processor regarding credit card security breaches in relation to recent attacks,” says a spokesperson from one Internet Retailer Top 500 e-retailer, wishing to remain anonymous. “We are highly proactive with monitoring fraud and offering a secure shopping experience for our customers.”

This week, one e-retailer did confirm a data breach that involved online shoppers, although there is no evidence it is connected to the data thefts from Target and Neiman Marcus. Easton-Bell Sports says criminals broke into a server operated by a vendor that contained payment information from web shoppers. The company sells sporting gear under such brands as Bell, Riddell, Giro, Blackburn and Easton Cycling. The break took place between Dec. 1 and Dec. 31