X

Michaels confirms breaches exposed nearly 3M credit cards

Arts and crafts retail chain says malware at its point-of-sale terminals impacted 2.6 million cards, as well as another 400,000 at Aaron Brothers subsidiary.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil

michaels-1478727.jpg
Getty Images

Arts and crafts retail chain Michaels Stores said Thursday that two separate security breaches at point-of-sale terminals last year at its US stores and Aaron Brothers subsidiary may have exposed nearly 3 million credit and payment cards.

The Michaels breach, which occurred between May 8, 2013, and January 27, 2014, may have affected about 2.6 million cards, or about 7 percent of payment cards used at its stores during the period, the retailer said in a statement. A separate breach on Aaron Brothers' payment systems from June 26, 2013 to February 27, 2014, may have exposed another 400,000 cards.

Michaels, which was the victim of a security breach in 2011, said the systems were attacked by hackers using highly sophisticated malware that neither of the security firms hired to investigate the breaches had previously encountered.

The company said it had received a "limited number of reports" of fraudulent use of cards involved in the breaches but said there was no evidence that other customer personal information, such as names, addresses, or PIN codes, was at risk in connection with this issue.

Michaels revealed that it was investigating a potential payment-card security breach in January, just two weeks after retail giant Target revealed that hackers had also infected point-of-sale terminals at its stores to steal to steal the payment card information from millions of customers. That massive breach occurred between November 27 and December 15, exposing the information of up to 110 million customers.