After LaCie announced earlier this week it was the victim of a massive credit card breach that lasted for a year, crafts store Michaels revealed in a press release that hackers may have stolen credit card data for 3 million of its customers, including buyers that shopped at its Aaron Brothers subsidiary. The company has hired two independent security firms to conduct an extensive investigation, which revealed that payment systems in Michaels and Aaron Brothers stores were attacked by “highly sophisticated malware” that had not been seen before by either firm.
While the malware has been neutralized at this time, the company determined that the hack was quite extensive, allowing hackers to steal certain payment information including card number and expiration date from Michaels and Aaron Brothers customers. However, there’s no evidence that customer personal information including names, addresses or PIN numbers were stolen.
The Michaels hack attacked various point-of-sales (PoS) systems at varying stores from May 8, 2013 through January 27, 2014, stealing data for approximately 2.6 million cards, or about 7% of cards used at Michaels stores.
The Aaron Brothers hack went on from June 26, 2013 through February 27, 2014, with data for approximately 400,000 cards having been stolen during that time.
Michaels says that it has received “a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected” to its stores. The company has already listed the affected stores on its websites, informed card brands about the cards that may have been affected, and is providing free identity protection, credit monitoring and fraud assistance services to affected customers for 12 months.
It’s not clear at this time whether this attack, which targeted PoS systems is connected in any way to the massive Target breach from late last year. However, following the Target hack, law enforcement advised that more retailers are likely to be victims in similar attacks in the future.