Craft Store Michaels Confirms Data Breach Affecting 2.6 Million Credit Cards

Three months after craft retailer Michaels announced it may have been the victim of a data breach, the company confirms the worst: nearly 2.6 million consumers’ credit cards are affected.

In January, Michaels, a large arts and crafts chain, warned customers that the company “may have experienced a data security attack.” On Friday, the company announced that sometime between May 8, 2013 and January 27, 2014 about 2.6 million or 7% of payment cards used at its stores were compromised.

Additionally, nearly 400,000 cards were affected at 54 Aaron Brothers stores, a subsidiary of the company, from June 26, 2013 to February 27, 2014.

While officials say the affected systems contained payment card numbers and expiration dates, there is no evidence that data such as customers’ names or personal identification numbers were at risk.

“After weeks of analysis, we have discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” Michaels CEO Chuck Rubin says in a statement to customers on the company’s website. “We want you to know we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers while shopping at Michaels or Aaron Brothers.”

Michaels claims that there are only a limited number of fraud incidents have been reported, but the company is offering 12 months of free identity protection and credit monitoring services, as well as 12 months of free fraud assistance to affected customers in the United States.

Customers are encouraged to continue to monitor their payment activity and immediately contact their banks if any suspicious activity is found. The company continues to work with law enforcement authorities, banks and payment processors to investigate the breach.

“We are truly sorry and deeply regret any inconvenience this may cause,” Rubin says in the statement. “Our customers are always our number one priority and we are committed to retaining your trust and loyalty.”

The company first announced the possibility of an attack just weeks after the massive Target data breach that hit approximately 110 million consumers during the holiday season.

Following a string of data hacks, the Consumer Financial Protection Bureau outlined a number of ways consumers can protect themselves and where to get help if they suspect their information has been compromised.

Shortly after the data breaches at Target, Neiman Marcus and Michaels were announced the conversation turned to what new technology could help prevent such attacks in the future. During a Senate Judiciary Committee hearing in February, senators discussed the possibility of “smart” chip cards.

The EMV (short for “Europay, Mastercard and Visa”) cards tiny chips embedded in them that encrypt the card’s information. Already in use in Europe, the chips cut back on card fraud because their existence makes cards significantly harder to clone: even if you get all of the information from a card’s magnetic strip, as through a skimmer, without the chip actually being present the card data is useless in a physical transaction.

Officials with Visa and MasterCard announced they hope to end traditional sign-and-swipe credit card transitions and switch to the chip-and-PIN system by 2015. In March, the companies formed an industry group to address payment security issues specifically the adoption of EMV technology.

Important Notice About Certain Customer Payment Card Information [Michaels]