Arts and crafts retail chain Michaels has revealed that it may have been the victim of a "data security attack", similar to those at Target and Neiman Marcus in recent weeks.
In a statement issued on Saturday the CEO of Michaels Stores, Chuck Rubin, revealed that the firm had "recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data security attack."
The statement goes on to explain that the company is working with law enforcement to investigate the potential hack. The company says it will offer free identity protection and credit monitoring to anyone who could be at risk.
The attack appears to be similar to those suffered by Target and Neiman Marcus, covered by WeLiveSecurity here and here.
According to independent security writer Brian Krebs, a credit card processing company analyst began seeing card fraud taking place on "hundreds of cards" that had all been recently used at Michaels.
The attacks rely on malware that scrapes point-of-sale (POS) computers for unencrypted credit card details. Earlier this month, the US Computer Emergency Readiness Team warned of the danger of POS attacks, explaining that the malware scans the RAM for "track 1 and track 2 data" - respectively, the cardholder's name and account number, and the credit card number and expiration date.
The Wall St Journal notes that Michaels - which is currently owned by Bain Capital Partners LLC and Blackstone Group - is on the verge of issuing an IPO. Such an attack could have a significant effect on the company's opening share price.
Michaels owns 1,259 stores across the U.S., some of which are under the Aaron Brothers brand.
This is not the first time that the chain has been hacked. In 2011, hackers were able to tamper with 84 PIN card terminals at several Michaels outlets, resulting in the theft of more than 94,000 card numbers. Michaels was forced to replace 7,200 PIN pads, and settled a class-action lawsuit without admitting any wrongdoing, according to Reuters.