Irving-based Michaels Stores said Thursday that about 2.6 million cards, or about 7 percent of all debit and credit cards used at its namesake stores, may have been affected in a security breach.
The nation’s largest arts and crafts chain said its subsidiary Aaron Brothers was also attacked, with about 400,000 cards potentially affected.
Michaels said that it has contained the incident, which began last year. It has received “limited” reports of fraud from banks and the payment card brands that are potentially connected to the breach.
The compromised data include customer information such as payment card numbers and expiration dates. But nothing indicates that other personal information, such as names, addresses or personal identification numbers, was at risk, Michaels said.
Michaels’ report comes as many shoppers worry about their personal data after a pre-Christmas security breach at Target affected 40 million debit and credit cards.
The details come nearly three months after Michaels disclosed that it may have been a victim of a data breach and that it was working with law enforcement authorities, banks and payment processors.
The company said Thursday that both chains were attacked by criminals using sophisticated malware that had not been encountered previously by the two security firms conducting the investigation.
“Our customers are always number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused,” Michaels CEO Chuck Rubin said in a statement.
The breach at Michaels stores occurred between May 8, 2013, and Jan. 27. The company confirmed that between June 26, 2013, and Feb. 27, 54 Aaron Brothers stores were affected.
The company said it is offering free identity protection, credit monitoring and fraud assistance to affected customers in the U.S. for 12 months.