Michaels has confirmed that credit and debit card information was stolen from 3 million customers who shopped at some of its stores during an eight-month period.
The craft-store chain initially confirmed the data breach in January but gave few details of what occurred or how many customers were affected.
In the update, released late Thursday, the firm said criminals broke into its payment system last year, targeting the point-of-sale machines.
The malware affected customers who used their credit or debit cards to shop at Michaels between May 8, 2013, and January 27, 2014, a total of 2.6 million cards, the company said. Data from an additional 400,000 cards at its subsidiary Aaron Brothers were stolen from those who shopped between June 26, 2013, and February 27, 2014.
Michaels posted a list of affected stores on its Web site, which includes 23 stores in Maryland and eight in Northern Virginia. The retailer does not have any locations in the District.
News of the breach was first reported Jan. 25 by security blogger Brian Krebs. But the dates released by the retailer Thursday show that customers were vulnerable to attack for up to a month after the announcement. The company did not address the lag in its statement.
Michaels is one of several major retailers — including Target and Neiman Marcus — that were hit by cyberattacks during the past year. The breaches have sparked debates in Washington on the vulnerability of the nation’s magnetic-stripe payment card system and the need for a uniform breach-notification law that would require companies to tell their customers as soon as they discover an attack. Currently, companies are governed by a patchwork of state-level laws.
“This is just one more reason that we need federal data-breach legislation,” said Delara Derakhshani, policy counsel for Consumers Union, an advocacy group. “We have to raise the standards of accountability for retailers such as Michaels, Target or Neiman Marcus.”
Lawmakers have held hearings on Capitol Hill and floated multiple bills supporting federal legislation. Retailers and banks formed a working group this year to combine information and security measures that may help prevent attacks.
But there has been little progress on the issue.
“The ideal solution is going to be one that gleans from all of these bills,” Derakhshani said.
In its update to customers, Michaels did not elaborate on the nature of the attack but said criminals used a “highly sophisticated malware that had not been encountered previously” by either of the security firms investigating the breach. Michaels said it hired two independent security firms to investigate the attack — which is the company’s second data breach in three years.
The stolen information at Michaels and Aaron Brothers includes credit and debit card numbers and expiration dates. Customer names, Personal Identification Numbers (PINs) and addresses were not affected, the company said.
“With this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers,” Michaels chief executive Chuck Rubin said in a statement.
The company has received “limited reports” of fraudulent activity, he said, and is offering customers free credit-
monitoring services for one year.
The retailer’s last breach occurred in May 2011, when criminals tampered with 90 PIN pads at stores across the country to steal customers’ payment card information. At the time, the company said fewer than 100 customers reported fraudulent activity as a result of the attack.