Michaels Says 2.6 Million Payment Cards Possibly Affected During Lengthy Intrusion

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

April 18 --Arts and crafts retailer Michaels Stores Inc. April 17 said it has discovered evidence confirming that its systems were affected by a data breach possibly affecting 2.6 million customer payment cards.  

The company said in a statement that the breach also affected the systems of Michaels subsidiary Aaron Brothers Inc., possibly affecting approximately 400,000 payment cards used at its stores.

Michaels said that it has “identified and fully contained the incident, and the malware no longer presents a threat” to those shopping at its stores.

The confirmation of the breach by Michaels follows breaches disclosed over the past several months by major retailers Target Corp. and Neiman Marcus Group Ltd.

Earlier PIN Pad Breach

This isn't the first confirmed breach at Michaels. In May 2011, the company disclosed that fraudsters had replaced store personal identification number (PIN) entry terminals with modified PIN pads that could skim payment card data at stores in 20 states.

This past January, the company announced that it had learned of possible fraudulent activity on some payment cards that had been used at its stores and that it was investigating a possible security breach.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” Michaels said in an April 17 statement.

PINs Not Affected

The systems affected by the latest breach contained payment card information such as card numbers and expiration dates, the company said. However, there is no evidence that other personal information of customers, such as names, addresses and PINs, was affected, it added.

Michaels said the attack targeted point-of-sale systems at some of its stores between May 8, 2013, and Jan. 27, 2014. The 2.6 million cards affected represent 7 percent of payment cards used at its stores during this time period, the company added.

The breach affected 54 Aaron Brothers stores between June 26, 2013, and Feb. 27, 2014, according to the Michaels statement.

There have been a “limited number of reports from the payment card brands and banks of fraudulent use” of the cards, Michaels said. The company said it is offering free identity protection, credit monitoring and fraud assistance services to affected customers for 12 months.

Request Bloomberg Law Privacy and Data Security