After alerting its customers in January that its arts and crafts store chain had suffered a potential data breach, Michaels Stores Inc. confirmed last week that at least 2.6 million cards may have been affected.
The attack focused on point of sale systems at hundreds of Michaels stores between May 8, 2013 and Jan. 27, 2014 and at Aaron Brothers, a unit of Michaels, between June 26, 2013 and Feb. 27, 2014, CEO Chuck Rubin confirmed.
Hackers used "highly sophisticated malware" that had not been previously detected by security firms, but there was no evidence that the criminals had access to customer names, addresses or PINs, Rubin states in his letter to customers. The company has contained the malware to eliminate the threat to shoppers, he says.
The affected systems contained payment card numbers and expiration dates, Rubin says.
The 2.6 million cards represent about 7% of cards used at Michaels stores in the U.S., Rubin adds. Michaels estimates that Aaron Brothers accounts for about 400,000 of the compromised payment cards.
The affected Aaron Brothers stores were located in the West and Southwest United States, and the Michaels breaches occurred across the nation.
Michaels endured a breach on a smaller scale in 2011 when fewer than 100 customers' debit card accounts were exposed through a PIN-pad compromise.
The Michaels announcement comes in the wake of the highly publicized Target and Neiman Marcus breaches during the 2013 holiday shopping season.
However, EMV technology combats counterfeiting, a common security problem with the current magnetic-stripe technology.