Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
By Reuters and James Eng

Two southern Californians have been charged with taking part in a conspiracy to steal 94,000 credit and debit card numbers from customers of arts-and-crafts chain Michaels in a 2011 cyberattack. The charges against Angel Angulo, 25, of Riverside, and Crystal Banuelos, 28, of Bloomington, were announced on Thursday by U.S. Attorney Paul Fishman in New Jersey, where Michaels also has stores.

Fishman said the conspirators captured customers' bank account information and personal identification numbers by installing devices on 88 point-of-sale terminals in 80 Michaels stores across 19 U.S. states. With the help of others, Angulo and Banuelos then produced counterfeit bank cards, and used them to withdraw more than $420,000 from automated teller machines, Fishman said. The scheme lasted from February to May 2011, when the defendants possessed 179 counterfeit cards in New Jersey, and affected seven banks including Bank of America, JPMorgan Chase, Toronto-Dominion Bank and Wells Fargo, Fishman said.

Angulo and Banuelos were each charged with conspiracy to commit bank fraud, which carries a maximum 30-year prison term and $1 million fine, and aggravated identity theft, which carries a maximum two-year term to be served consecutively. Angulo was scheduled to appear on Thursday in a Riverside federal court. Banuelos is at large.

Eduard Arakelyan, now 24, and Arman Vardanyan, now 26, are serving five-year prison terms after pleading guilty in March 2012 to defrauding holders of 952 stolen debit cards. Federal prosecutors at the time said those cards were linked to the 2011 theft that is the subject of Thursday's prosecution. Arakelyan and Vardanyan were also from southern California.

Related: Michaels Stores Says Up To 3 Million Cards Affected in Data Breach

Michaels disclosed earlier this year that it was also the target of a separate data breach in 2013-2014 in which information on up to 4 million customer credit and debit cards may have been exposed.