Crafts Giant Michaels Confirms Breach Of As Many As 2.6 Million Credit Cards


UPDATED: Friday April 18, 2014 1:59 PM

Michaels Stores Inc. said Thursday that about 2.6 million cards, or about 7 percent of all debit and credit cards used at its namesake stores, may have been affected in a security breach.

The nation's largest arts and crafts chain said its subsidiary Aaron Brothers was also attacked, with about 400,000 cards potentially affected.

Irving, Texas-based Michaels said that it has contained the incident, which began last year. It has received "limited" reports of fraud from banks and the payment card brands that are potentially connected to the breach.

The compromised data includes customer information such as payment card numbers and expiration dates. But there's no evidence that other personal information such as names, addresses or PIN numbers were at risk, Michaels said.

Michaels' report comes as many shoppers worry about the safety of their personal data following a massive pre-Christmas security breach at Target Corp. that affected 40 million debit and credit cards.

The details come nearly three months after Michaels disclosed that it may have been a victim of a data breach and that it was working with law enforcement authorities, banks and payment processors.

The company said Thursday that both chains were attacked by criminals using highly sophisticated malware that had not been encountered previously by the two security firms that were conducting the investigation.

"Our customers are always number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused," said Chuck Rubin, CEO of Michaels, in a statement.

The breach at Michaels stores occurred between May 8, 2013 and Jan. 27. The company confirmed that between June 26, 2013 and Feb. 27, 54 Aaron Brothers stores were affected by this malware.

Michaels said that it was offering free identity protection, credit monitoring and fraud assistance services to affected Michaels and Aaron Brothers customers in the U.S. for 12 months.

These are the central Ohio Michaels locations affected by the data security breach

90 Graceland Blvd Columbus OH 43214-7509

3680 Easton Market Columbus OH 43219-6032

3612 W Dublin Granville Rd Columbus OH 43235-4901

1614 Stringtown Rd Grove City OH 43123-8995

1830 Hilliard Rome Rd Hilliard OH 43026-7565

9051 Columbus Pike Lewis Center OH 43035-9412

2766 Brice Rd Reynoldsburg OH 43068-3419

©2014 by The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.