The second security breach at Michaels Stores, Inc. in just two years saw cybercriminals using malware planted at point-of-sale terminals compromise 2.6 million payment and credit cards. The store also said a further 400,000 cards were affected at Michaels Stores subsidiary, Aaron Brothers.
Michaels is the largest arts and crafts retail chain in the US. It currently operates about 1,040 stores located in 49 states and Canada. Its Aaron Brothers retail chain consists of some 115 stores. Michaels' corporate headquarters is located in Irving, Texas.
Michaels said the breach took place between May 8, 2013 and January 27, 2014 and might have affected some 2.6 million cards, or seven percent, of payment cards used at its stores during the period. Another breach at Aaron Brothers' payment systems from June 26, 2013 to February 27, 2014 could have exposed a further 400,000 cards.
The company said it was investigating both cybersecurity lapses along with law enforcement authorities and banks and payment processors. It said that the malware no longer presents a threat.
Michaels said it has received a "limited number of reports" of fraudulent use of cards involved in the breaches. It pointed out, however, that there is no evidence that sensitive customer personal information such as names, addresses or PIN codes was at risk.
Michaels said certain systems that process payment cards were attacked by cybercriminals using highly sophisticated malware that neither of the security firms hired to investigate the breaches had previously come across. The company was hit by cybercriminals in 2011.
US retailers are planning to form an industry group that will collect and share intelligence in order to prevent future attacks that are increasingly targeting large retail chains.