Michaels Stores finally confirmed on Thursday that the credit card data of nearly 3 million customers was compromised in a recent data breach. That's about seven percent of the cards used at the the arts and crafts chain between May 8, 2013, and January 27, 2014. According to a statement from the retailer, there's no evidence that customer names or PINs were also compromised in the breach. The announcement comes months after the company first admitted it was investigating a possible hack.
A company subsidiary, Aaron Brothers, had up to 400,000 customer credit cards compromised by the breach, while Michaels Stores reported about 2.6 million vulnerable cards. The company concluded that the data breach happened at a limited number of point-of-sale systems at Michaels stores, using "highly sophisticated malware" not previously encountered by the security firms hired to investigate the breach. Michaels confirmed that it is aware of a "limited number" of fraudulent charges potentially connected to the breach. All affected customers will get 12 months of identity theft protection on the company's dime.
As Reuters noted, this is the second major credit card data breach for the company in the past few years. In 2011, hackers stole about 94,000 credit card numbers from a limited number of stores around the country.