Michaels Stores said Thursday that some 2.6 million credit and debit cards may have been subject to a security breach at its craft stores.
“Our customers are always number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused,” said Michaels CEO Chuck Rubin in a statement.
Its subsidiary Aaron Brothers was also attacked, with some 400,000 cards affected in the massive data breach.
The nation’s largest arts and crafts chain said the incident — which began last year — was contained, but that “limited” fraud reports from banks and credit card companies were reported.
Payment card numbers and expiration dates were collected, but no personal information was known to be leaked, Michaels said in a statement.
The breach at Michaels stores occurred between May 8, 2013 and Jan. 27. The company confirmed that between June 26, 2013 and Feb. 27, 54 Aaron Brothers stores were affected by this malware.
Michaels said that it was offering free identity protection, credit monitoring and fraud assistance services to affected Michaels and Aaron Brothers customers in the U.S. for 12 months.
The data breach comes after Target’s massive security mishap in which some 40 million shoppers’ debit and credit card details were stolen by cyber criminals.