I've Been Mugged Blog

Michaels Stores confirmed on Thursday that 3 million credit card and debit card users were affected by its recent data breach. The retailer's statement read in part:

"After weeks of analysis, we have discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware... we have identified and fully contained the incident, and we can assure you the malware no longer presents a threat to customers... the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014."

In some Michaels stores, the attack lasted for a short duration. Michaels announced its data breach in January. The attack lasted about the same duration, eight months, at Aaron Brothers stores:

"Regarding Aaron Brothers, the Company has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware. The Company estimates that approximately 400,000 cards were potentially impacted during this period."

The retailer's statement did not explain what security steps were taken so that a breach like this does not happen again. In its statement, Michaels seemed to try to minimize the breach impacts by emphasizing the portion of customers affected:

"Regarding Michaels stores, the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue. he analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period."

If you were one of the affected customers, there is no minimizing the hassles and disruption you experienced to get a replacement card from your card issuer, reset online billing and automatic payments for your new card account, and report fraudulent charges and/or money stolen to your card issuer for reimbursement.

Affected Michaels stores (Adobe PDF) are in 49 states, excluding Hawaii. Affected Aaron Brothers stores (Adobe PDF) are in Arizona, California, Colorado, Nevada, Oregon, Texas, and Washington.