Luxury retailer Neiman Marcus is the latest victim of a data breach, this one exposing personal and financial information contained in the online accounts of approximately 4.6 million customers.

The company revealed Thursday it learned in September that “an unauthorized party” accessed customer names and addresses, credit card information, and gift card numbers back in May 2020. It did not explain how more than a year has passed between the breach and its discovery.

“At Neiman Marcus Group, customers are our top priority,” said CEO Geoffroy van Raemdonck in a press release. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

The company said it notified law enforcement and hired a cybersecurity firm to investigate the circumstances around the breach. At the moment, the retailer believes online customers for two other luxury brands under its corporate umbrella, Bergdorf Goodman and Horchow, were not affected.

As part of its response, Neiman Marcus notified all affected customers about the breach and is requiring them to reset their online account passwords, if they have not done so since May 2020. The company has set up a hotline and a website for affected customers to call or log into for more information.

“Our investigation is ongoing, and we are working quickly to determine the nature and scope of the matter,” Neiman Marcus stated.

Breaches of this magnitude open companies to legal liability if compromised customer personal or financial information end up causing harm through stolen identities or fraud. Customers who live in California and are affected by the breach can sue Neiman Marcus for failing to protect their personal information under the California Consumer Privacy Act (CCPA).

According to a CCPA litigation tracker developed by law firm Perkins Coie, more than 170 CCPA-related lawsuits have been filed as of August since the law took effect in January 2020. Of that total, 131 have been triggered by a data breach, alleging the companies’ failure to implement reasonable cybersecurity safeguards resulted in the breach.