Michaels Stores confirmed that as many as 3 million cards were affected in a recent security breach, or approximately 7 percent of all credit and debit cards used in its namesake stores and approximately 400,000 cards used at the chain's 54 Aaron Brothers locations.
The breach occurred between May 8, 2013, and Feb. 27 and was first uncovered by blogger Brian Krebs on Jan. 25.
After Michaels went public and confirmed the breach, the retailer retained two independent security firms to conduct an investigation and has been working closely with law enforcement authorities and coordinating with banks and payment processors to determine the facts.
The investigations confirmed that Michaels store systems were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms.
Data stolen from Michaels included certain payment card information, such as payment card numbers and expiration dates. There was no evidence that other customer personal information, such as name, address or PIN, was at risk. Michaels said it has received a "limited number" of reports from banks and card companies of fraudulent payments.
The attack targeted a limited portion of the point-of-sale systems at a varying number of stores. Like Target before it, Michaels has offered affected shoppers free identity protection, credit monitoring and fraud assistance services for 12 months.
Michaels joins a growing list of retailers hit by data breaches in the past year, including Target (NYSE:TGT), Neiman Marcus and Sally Beauty Supply (NYSE:SBH), that have also reported a breach of their systems.
The National Retail Federation said it would create a platform through which retailers could obtain and share information on online security threats, and both the NRF and the Retail Industry Leaders Association have been actively working on security issues.
"In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance," said Chuck Rubin, CEO. "Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers."
Not surprisingly, new findings from the Pew Research Center reveal that growing number of U.S. shoppers have had personal information stolen and accounts compromised.
Findings from a January 2014 survey show that 18 percent of online adults have had important personal information stolen such as a Social Security Number, credit card or bank account information, up from 11 percent who reported personal information theft in July 2013.
-See this Pew Research study
-See this Michaels press release
-See this timeline of the Target breach
NRF issues industry-wide directive regarding data security, calls for chip and PIN
Shoppers blame retailers for data breaches, Congress blames Target
Sally's data breach possibly affected up to 280,000 customers
More Target trouble: Jobs slashed amid reports the breach could have been prevented
Target invests $5 million in security education, offers free credit monitoring to customers for 1 year