The potential Michaels data breach originally reported in January has been confirmed, and as many as three million credit cards may have been impacted. After Michaels, the country’s largest crafts store chain, and its subsidiary, Aaron Brothers, learned of fraudulent activity on payment cards that had been used in their stores, an investigation was launched with the aid of two separate security firms as well as law enforcement authorities.
According to Michaels Stores, Inc. the investigation turned up evidence of a highly sophisticated malware which neither security firm had ever seen before. The threat has been fully identified and contained and no longer poses a threat to Aaron Brothers or Michaels customers, but before detection hackers could have gained access to a great number of credit cards.
Between May 8, 2013 and January 27, 2014 a portion of point-of-sale systems at multiple locations were compromised by the malware. Roughly 7% of all credit card transactions could have been impacted, amounting to a total of 2.6 million cards used in Michaels stores during that period. 400,000 payment cards used in Aaron Brothers stores were similarly affected.
At this time there is no evidence that personal information such as customer names, addresses, or PINs were taken in the attack, but credit card numbers and expiration dates were obtained by the hackers. Payment card companies and banks have already reported a limited number of fraudulent charges that could be connected to the breach.
“Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused,” said CEO Chuck Rubin. “We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring services. Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers.”
In order to help customers determine whether they could have been impacted by the data breach, Michaels Stores, Inc. has released a comprehensive list of both Michaels and Aaron Brothers stores that were targeted by the malware, including the date ranges during which each Michaels location was under attack.
On Long Island, the Bay Shore, Commack, Huntington Station, Levittown, Manhasset, Massapequa, Oceanside, Patchogue, Riverhead, Rocky Point, and Westbury Michaels stores have been confirmed as compromised during the breach period.
Photo credit: jennnster / Foter / Creative Commons Attribution-NoDerivs 2.0 Generic (CC BY-ND 2.0)