Michaels Stores said Thursday that up to 3 million cards may have been affected in a security breach, or roughly 7 percent of all debit and credit cards used at its namesake stores.
At the company's Aaron Brothers locations, approximately 400,000 cards used at 54 stores may have been impacted between June 26, 2013, and Feb. 27, 2014.
Michaels confirmed that the incident has been contained, and the conclusions are shedding light on how to help prevent these attacks in the future.
The breach at Michaels' stores occurred between May 8, 2013, and Jan. 27, 2014, the company said, citing analysis conducted by the company and security firms. Like the Target breach (NYSE:TGT), the attack at Michaels invaded its point-of-sale systems. The data theft was the result of criminals using highly sophisticated malware that had not been encountered previously by either of the security firms. Michaels has also been working with law enforcement officials.
Data stolen from Michaels included certain payment card information, such as payment card number and expiration dates. There was no evidence that other customer personal information, such as name, address or PIN, was at risk. Michaels said it has received a "limited number" of reports from banks and card companies of fraudulent payments. The company will offer affected customers free identity protection, credit monitoring and fraud assistance services for 12 months.
There are more than 1,135 Michaels stores and 119 Aaron Brothers locations, and the company has posted lists of branches that were affected on its website.
Michaels is one of several retailers affected by a data breach in recent months. In addition to Target, Neiman Marcus and Sally Beauty Supply (NYSE: SBH) have also reported a breach of their systems.
Last week, the National Retail Federation announced that it would create a platform through which retailers could obtain and share information on online security threats.
-See this Michaels press release
NRF issues industry-wide directive regarding data security, calls for chip and PIN
Shoppers blame retailers for data breaches, Congress blames Target
Sally's data breach possibly affected up to 280,000 customers
More Target trouble: Jobs slashed amid reports the breach could have been prevented
Target invests $5 million in security education, offers free credit monitoring to customers for 1 year