Handbag and accessories maker Vera Bradley said on Wednesday hackers may have accessed customer data from payment processing systems in its stores, causing a delay in an upgrade of its website and potentially hurting holiday-season sales.
The company (VRA) said hackers may have accessed customer data including card numbers, cardholder names, expiration dates, and internal verification codes between July 25 and Sept. 23.
Vera Bradley, which had 112 stores and 44 factory outlets at the end of July, said the delay in the upgrade of its website “could impact its ability to generate positive comparable sales growth” in the fourth quarter ending Jan. 31.
The exact number of cards affected is unclear, spokeswoman Julia Bentley said in an email. Cards used to shop on the company’s website were not affected.
Get Data Sheet, Fortune’s technology newsletter
The FBI alerted the company on Sept. 15 about a “potential data security issue” in its retail network, Bentley said.
The company then launched an investigation that showed hackers had installed a program in the company’s payment processing system that tracked customer data contained in the magnetic stripes of payment cards.
“Vera Bradley has stopped this incident,” the company said, adding that it was working with cyber security firm FireEye’s (FEYE) Mandiant business to improve security.
The company said it had postponed the upgrade of its website to focus on improving security. The new website will now be launched in the first quarter of 2017.