Following an investigation with two independent security firms that dates back to January, arts and crafts retailer Michaels Stores confirmed on Thursday that, much like retail giant Target, its U.S. stores had experienced a payment card breach.
The Michaels breach involved malware on point-of-sale systems that neither security firm had encountered before, Michaels CEO Chuck Rubin wrote in a Thursday statement, explaining the malware has been removed and the incident has been fully contained.
About 2.6 million payment cards may have been compromised from Michaels outlets between May 8, 2013 and Jan. 27, Rubin said, adding that about 400,000 payment cards could have been compromised from Aarons Brothers stores, a Michaels subsidiary, between June 26, 2013 and Feb. 27.
Rubin explained that the breach impacted a “varying number” of Michaels stores, as well as 54 Aaron Brothers locations. The crafts retailer posted online which Michaels and Aaron Brothers locations were affected.
“While we have received limited reports of fraud, we are offering identity protection and credit monitoring services to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them,” Rubin said. “We also are offering these customers a fraud assistance service for 12 months at no cost to them.”
Rubin announced at the end of January that Michaels was looking into a possible payment card breach, shortly after technology writer Brian Krebs reported that the retailer was investigating an incident. The investigation was spurred due to reports of fraudulent activity on cards used in stores.