Arts and crafts retailer Michaels Stores yesterday announced that a data breach exposed approximately 2.6 million payment cards that had been used at Michaels locations between May 8, 2013 and January 27, 2014, along with approximately 400,000 payment cards that had been used at Michaels subsidiary Aaron Brothers between June 26, 2013 and February 27, 2014 (h/t The Verge).
The company had previously announced on January 25, 2014 that it was looking into a possible breach of payment card data, and was working with third-party data security firms to investigate the incident.
“After weeks of analysis, we have discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” Michaels CEO Chuck Rubin wrote in a letter posted on the company’s Web site. “We want you to know we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers while shopping at Michaels or Aaron Brothers.”
While payment card numbers and expiration dates were accessed, the company says there’s no evidence indicating that any other personal information was exposed.
“In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance,” Rubin said in a statement [PDF]. “Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”
All those affected by the breach are being offered one free year of access to credit monitoring services from AllClear ID, and are being advised to consider placing fraud alerts on their credit files. Customers with questions are advised to contact (877) 412-7145.