In December, US retail giant Target confirmed up to 40 million credit card accounts were at risk after customer data was stolen by hackers. Now, according to Brian Krebs — the journalist that first reported the Target security breach — a second retailer has suffered a similar attack. Krebs on Security reports that hackers have stolen customer credit card data from the Dallas-based fashion chain Neiman Marcus.

Krebs says his sources in the finance industry started to suspect a large retailer had been hacked after a December surge in fraudulent debit and credit card charges. The payments, Krebs says, were traced to cards that had been recently been used at Neiman Marcus' brick-and-mortar stores. Those suspicions were confirmed by Neiman Marcus spokesperson Ginger Reeder, who said that the chain was informed of "potentially unauthorized payment card activity that occurred following customer purchases at Neiman Marcus Group stores" by its credit card processor in mid-December. The company says it informed federal law enforcement agencies, in addition to "a leading investigations, intelligence and risk management firm, and a leading forensics firm." On January 1st, that forensics firm found evidence that the fashion chain was indeed "the victim of a criminal cyber-security intrusion," and said that some customers' cards were "possibly compromised" as a result.

The hack affects cards that were used in Neiman Marcus brick-and-mortar stores

The scale and scope of the hack are yet to be revealed, but the amount of time the hackers had to access the data undetected may affect the number of customers affected. Target's hackers were reportedly able to obtain so much data — details for up to 40 million cards, and up to 70 million names, email addresses, and phone numbers — because the security hole stayed open from Thanksgiving until mid-December. Reeder says Neiman Marcus has "taken significant steps to further enhance information security" since uncovering the breach, but also suggests that the company has only recently "begun to contain the intrusion," some weeks after the first fraudulent payments appeared.