Michaels, the nation’s largest arts and crafts chain, said it identified and contained a data security breach that potentially compromised up to three million credit cards.
Earlier this year, the privately held company disclosed it was investigating a possible breach of its point-of-sale systems, the same type of malware attack that affected 40 million payment cards used at Target (TGT) stores.
The breach at Michaels’ namesake stores occurred between May 8, 2013, and Jan. 27, 2014. According to the company, only some point-of-sale systems at a varying number of stores were affected over that period, and a small percentage of payment cards used in those stores were compromised.
Citing analysis conducted by the company and security firms, hackers may have obtained data from about 2.6 million cards, or 7% of the total number of cards used at Michaels stores.
At the company’s Aaron Brothers locations, approximately 400,000 cards used at 54 stores may have been impacted between June 26, 2013, and Feb. 27, 2014.
There is no evidence any other personal information, such as name, address or debit card PIN numbers, was at risk during the two cyber-attacks, Michaels said.
“Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused,” Michaels CEO Chuck Rubin said in a statement. “Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers.”
Michaels said it has received a “limited number” of reports from banks and card companies of fraudulent payments. However, the company will offer affected customers free identity protection, credit monitoring and fraud assistance services for 12 months.
Michaels also noted the malware used in the attack was “highly sophisticated” and had not been encountered previously by either of the two security firms retained by the Irving, Texas-based company.
“In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance,” Rubin said.
Michaels is one of several notable retailers who were hit by a cyber-attack. In addition to Target, high-end retail chain Neiman Marcus also reported a breach of its systems