American arts and crafts retailer Michaels Stores has confirmed a data security breach at its US stores and its wholly-owned subsidiary Aaron Brothers, affecting up to three million customers.
This is the second data breach incident at Michaels Stores since 2011 when reportedly 94,000 debit and credit card account numbers were stolen, reports The Verge.
The latest data breach occurred between 8 May 2013 and 27 January 2014, affecting up to 2.6 million cards, with potential impact on another 400,000 cards at Aaron Brothers unit, said to have occurred between 26 June 2013 and 27 February 2014.
More than 1,135 Michaels stores and 119 Aaron Brothers locations have been affected, which can be found on the company website.
In a statement on its website, Michaels Stores said," The computer hack involved highly sophisticated malware that had not been encountered previously by either of the security firms."
The retailer also noted that there is no evidence yet of any risk to personal data such as customers’ name or personal identification number, though information such as credit and debit card numbers and expiration dates have been exposed.
Michaels Stores is working with law enforcement authorities, banks and payment processors.
Michaels Stores is the latest US retailer whose systems have been compromised in a series of high-profile breaches since last year, including Target and Neiman Marcus.
US retailers have called for the formation of an industry group for collecting and sharing intelligence in a bid to prevent future attacks.
The National Retail Federation recently announced creation of a platform to enable retailers to obtain and share information on online security threats.
Trade groups have also recommended adoption of EMV, a payment card technology widely used in Europe and considered safer, which relies on a small chip embedded in each card rather than a magnetic strip, as reported in the New York Times.