Michaels Stores Inc. has confirmed that approximately 2.6 million of its payment cards were lost in a previously suspected breach, with another 400,000 card numbers compromised in attacks against a subsidiary, Aaron Brothers.
In a press statement, Michaels, the biggest arts and crafts retailer in the U.S., said the attacks at its stores lasted more than eight months, spanning from May 8, 2013 to January 27, 2014, but that attackers only targeted a "limited portion" of the company's point-of-sale systems. The Aaron Brothers hacks also lasted eight months, from June 26, 2013 to February 27, 2014.
In a post on its website, Michaels indicated that payment card information, including card numbers and expiration dates, of approximately 7% of the credit cards used at its stores during the relevant period may have been affected, but that customers' names, addresses and PINs were not. The company said it has received only a "limited number of reports" from financial institutions that affected cards have been used for fraud.
Michaels said it hired two unnamed security firms to conduct an investigation into the incident, and confirmed that the breach has been identified and fully contained. Providing scant details about the attack methods deployed against it, the retailer stated that the two investigative outfits encountered "highly sophisticated malware" in its systems that neither had seen previously.
"Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused," said Michaels CEO Chuck Rubin. "We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring services. Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers."
In a report by news agency Bloomberg earlier this month, investigators of the Michaels breach said "dormant malware," first installed in a previous breach, was discovered on the retailers systems. The report also speculated that the hackers targeting Michaels were decidedly less sophisticated than those behind the compromise of luxury retailer Neiman Marcus.
Target Corp. CEO Gregg Steinhafel also blamed point-of-sale malware in the wake of his company's massive data breach, which resulted in the loss of approximately 40 million payment cards. In January, after the breaches against Target and Neiman Marcus had been confirmed, the U.S. Federal Bureau of Investigation distributed a confidential report to retailers warning that attackers were increasingly targeting point-of-sale systems with RAM scrapers, malware that scans for unencrypted data, specifically payment card details.
The breach is the second Michaels has confirmed in three years, as the retailer was forced to replace more than 7,200 point-of-sale terminals in 2011 after thieves had tampered with the PIN pads at a number of its locations.
"In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance," Rubin said. "Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers."