At the beginning of 2014 Target and Neiman Marcus confirmed that their stores had been victims of a point-of-service (POS) payment card breach. At the time the public was notified that several other retailers had also been targeted but were never named.
On April 17 Michaels Stores Inc. confirmed that cyber thieves had been stealing credit/debit card information during the processing of payment cards in its stores since May 2013.
“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.
The breach took place between May 8, 2013 and Jan. 27, 2014. Looking at the FAQ list on the Michaels website there seems to be a pattern to the different dates that data was stolen. While 2.6 million cards were affected, that only represents about 7 percent of payment cards used during those dates.
While investigating the POS security breach the company also discovered that about 400,000 cards were potentially impacted at its Aaron Brothers unit. The dates ranged from June 26, 2013 to February 27, 2014.
There was no evidence that data such as customers' name or personal identification numbers were at risk. More information can be found on Michaels website including the a list of affected stores and breach dates
This is the second known data breach since 2011 at Michaels Stores.
The two cyber security firms hired in January found malware not encountered previously had been used in the latest attack. The company said it was working with law enforcement authorities, banks and payment processors, and that the malware no longer presents a threat.
Following the precedent of other companies that were impacted by security breaches in the past, Michaels is also offering identity theft protection insurance. It should be noted however that this will not stop thieves from selling and/or using your credit card numbers. It only helps to protect your Social Security number which was not affected. Most consumers will have been notified by their credit issuers by now. If not, just monitor your monthly billing statements for any purchases you did not make, especially those involving small amounts or online purchases.