The Michaels store at The Highlands is among those whose customers may have been affected by a security breach targeting credit and debit card information.
Michaels Stores Inc. said Thursday that about 2.6 million cards, or about 7 percent of all debit and credit cards used at its namesake stores, may have been affected by the breach. The nation's largest arts and crafts chain said its subsidiary Aaron Brothers was also attacked, with about 400,000 cards potentially affected.
Irving, Texas-based Michaels said that it has contained the incident, which began last year. It has received "limited" reports of fraud from banks and the payment card brands that are potentially connected to the breach.
Other area stores affected by the data breach include the Settler's Ridge location in Robinson Township, Pa., the McKnight Road store in Pittsburgh and the Morgantown location.
Potential dates of exposure were between May 8 and July 29 at both The Highlands and Robinson stores; during three separate periods at the McKnight Road store: from May 8 to Oct. 9, Oct. 16 to Nov. 23 and Dec. 12 to Jan. 19; and during four periods at the Morgantown location: May 8 to Aug. 12, Aug. 31 to Oct. 8, Oct. 16 to Nov. 23 and Dec. 12 to Jan. 19.
A manager at The Highlands store directed questions to information provided by the corporate office on the company's website.
The compromised data includes customer information such as payment card numbers and expiration dates. But there's no evidence that other personal information such as names, addresses or PIN numbers were at risk, Michaels said.
Michaels' report comes as many shoppers worry about the safety of their personal data following a massive pre-Christmas security breach at Target Corp. that affected 40 million debit and credit cards.
The details come nearly three months after Michaels disclosed that it may have been a victim of a data breach and that it was working with law enforcement authorities, banks and payment processors.
The company said Thursday that both chains were attacked by criminals using highly sophisticated malware that had not been encountered previously by the two security firms that were conducting the investigation.
"Our customers are always number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused," said Chuck Rubin, CEO of Michaels, in a statement.
The breach at Michaels stores occurred between May 8, 2013, and Jan. 27. The company confirmed that between June 26, 2013, and Feb. 27, 54 Aaron Brothers stores were affected by this malware.
Michaels said that it was offering free identity protection, credit monitoring and fraud assistance services to affected Michaels and Aaron Brothers customers in the U.S. for 12 months.