Michaels Stores, the biggest U.S. arts and crafts retailer, on Thursday confirmed that there was a security breach at certain systems that process payment cards at its U.S. stores and that of its unit, Aaron Brothers.
The company said in January that it was working with federal law enforcement officials to investigate a possible data breach.
Michaels Stores said the breach, which took place between May 8, 2013, and Jan. 27, 2014, may have affected about 2.6 million cards, or about 7 percent of payment cards used at its stores during the period.
The company said about 400,000 cards were potentially impacted at its Aaron Brothers unit by the breach, which occurred between June 26, 2013, and Feb. 27, 2014.
There was no evidence that data such as customers’ names or personal identification numbers were at risk, Michaels Stores said in a statement.
This is the second known data breach since 2011 at Michaels.
Michaels, whose major investors are Blackstone Group LP and Bain Capital LP, said cyber-security firms it hired found that malware not encountered previously had been used in the latest attack.
The company said it was working with law enforcement authorities, banks, and payment processors, and that the malware no longer presents a threat.
Michaels, which resubmitted its IPO documents late last month following a restructuring, is the latest U.S. retailer whose systems have been breached.
Last year, the No. 3 U.S. retailer Target suffered a massive security breach that resulted in the theft of some 70 million customer records.
Reuters reported in January that smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one used on Target.
U.S. retailers are planning to form an industry group for collecting and sharing intelligence in a bid to prevent future attacks.
Michaels, which owns several private brands such as Recollections, Artist’s Loft, and Loops & Threads, competes with Hooby Lobby Stores, Jo-Ann Stores, and Wal-Mart Stores.