Michaels Stores Inc. said Thursday that about 2.6 million customer credit and debit cards used at its namesake stores may have been affected in a security breach but it has received "limited" reports of fraud.
The nation's largest arts and crafts chain, based in Irving, Texas, said that its subsidiary Aaron Brothers was also attacked, exposing information on another 400,000 cards.
The company said that both store chains were attacked by criminals using highly sophisticated malware that had not been encountered previously by the two security firms that were conducting the investigation.
"We want you to know we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers while shopping at Michaels or Aaron Brothers," Michaels Stores CEO Chuck Rubin said in an open letter to customers.
The attack targeted systems containing payment card information at Michaels stores between May 8 and Jan. 27, and Aaron Brothers stores between June 26 and Feb. 27.
The details come nearly three months after Michaels disclosed that it may have been a victim of a data breach.
A massive security breach at Target Corp. late last year that affected 40 million cards has many shoppers worried about the safety of their personal data.