Frequently Asked Questions
Updated: April 17, 2014
-
What happened?
We previously informed our customers that we might have experienced a data security issue. Since the announcement, we retained two independent, expert security firms to conduct an extensive investigation. After weeks of analysis, we discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms. The affected U.S. systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. We have now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brothers.
-
Why is Michaels notifying Aaron Brothers customers?
Aaron Brothers is a wholly-owned and operated subsidiary of Michaels Stores, Inc. Our extensive investigation uncovered evidence confirming that systems of 54 Aaron Brothers stores were attacked by criminals using highly sophisticated malware. The affected systems contained certain payment card information, such as payment card number and expiration date, about Aaron Brothers customers who used payment cards at Aaron Brothers from June 26, 2013 to February 27, 2014.
-
What did Michaels do when it discovered the issue?
We previously informed our customers and relevant regulators that we might have experienced a data security issue. Since the announcement, we retained two independent, expert security firms to conduct an extensive investigation. We also have been working closely with law enforcement authorities and coordinating with banks and payment processors to determine the facts. As soon as available, we provided data about potentially affected payment cards to the relevant card brands so they could take appropriate action.
-
What information may have been compromised?
The affected U.S. systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. There is no evidence that other personal information of these customers, such as name, address or PIN, was at risk in connection with this issue.
-
Which Michaels stores in the U.S. were impacted by this incident?
The attack targeted a limited portion of the point-of-sale systems at a varying number of Michaels stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue. The analysis conducted by the security firms and Michaels shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed here.
-
Which Aaron Brothers stores were impacted by this incident?
We have confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware. We estimate that approximately 400,000 cards were potentially impacted during this period. The locations for each affected Aaron Brothers store are listed here.
-
Is it safe to use a payment card at Michaels and Aaron Brothers?
Yes. We have now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brothers
-
What should I do to help protect my information?
If you believe your payment card may have been affected, you should immediately contact your bank or card issuer. Under U.S. law, you are entitled to one free credit report annually from each of the three national credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll free at 1-877-322-8228. We encourage you to review your account statements and monitor your free credit reports. For more information about steps you can take to protect your credit files, you can contact any one of the consumer reporting agencies at:
Equifax 1-800-525-6285 www.equifax.com Experian 1-888-397-3742 www.experian.com TransUnion 1-800-680-7289 www.transunion.com In addition, while we have received limited reports of fraud, we are offering identity protection and credit monitoring services to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them. We also are offering these customers a fraud assistance service for 12 months at no cost to them. This service provides customers with a trained representative to assist them in the event they experience a fraud-related issue resulting from this incident.
-
How do I find out more about the identity protection, credit monitoring and fraud assistance services?
We are offering affected Michaels and Aaron Brothers customers in the U.S. identity protection, credit monitoring and fraud assistance services for 12 months at no cost to them. Details of the services are available here. If you have any questions or would like more information, please call us toll-free at 1-877-412-7145, Monday through Saturday, from 8:00 a.m. CT to 8:00 p.m. CT.
-
Would Michaels ever contact me asking for my personal information?
No. Michaels will never ask you to provide personal information in an email or by telephone. You should always be suspicious of any unsolicited communication in which you are asked for your personal information or which refers you to a web page asking for personal information.
-
Where can I get more information?
If you have any questions or would like additional information regarding this issue, please call us toll-free at 1-877-412-7145, Monday through Saturday, from 8:00 a.m. CT to 8:00 p.m. CT.