Michaels began investigating the possibility of a breach in January, just weeks after the high-profile PoS compromise at Target came to light that affected more than 40 million credit and debit cards during the busy 2013 holiday season. At the time, Michaels said that it was working with the US Secret Service to determine whether fraudulent activity on some payment cards used at its stores was a sign of a larger compromise of its systems. It then went on to retain two independent security firms to conduct an extensive investigation, along with law enforcement.
Now, after weeks of analysis, the company has disclosed that systems of Michaels stores in the US and its subsidiary, Aaron Brothers, were attacked by criminals using point-of-sale based, “highly sophisticated malware that had not been encountered previously by either of the security firms.”
The thieves were able to make off with payment card numbers and expiration dates, but so far there is no evidence that other customer personal information, such as names, addresses or PINs, were at risk.
In Michaels stores, the attack ran from May 8, 2013, to January 27, 2014, and affected approximately 2.6 million cards, or about 7% of payment cards used at the company's stores during the time period. Regarding Aaron Brothers, the company has confirmed that between June 26, 2013, and February 27, 2014, 54 of its stores were affected by the malware, and about 400,000 cards were potentially impacted during this period.
The threat has been contained, the company said, and it has provided data about potentially affected payment cards to the relevant card brands so they can take appropriate action. Michaels said that it has thus far received only limited reports of fraud, but that it is offering identity protection, credit monitoring and fraud assistance services to affected Michaels and Aaron Brothers customers in the US for 12 months, at no cost.
“Our customers are always our No. 1 priority and we are truly sorry for any inconvenience or concern Michaels may have caused,” said Chuck Rubin, CEO, in a statement. “We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring services. Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers.”
He added: “In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”
The news is the latest in a string of retail PoS-related hacks, starting with Target and extending to Neiman Marcus, Sally Beauty Supply and others.