The company, which discovered the attack on April 11, said it had no evidence that any personal data had been misused. It said some social security numbers had also been affected.