Michaels, the biggest U.S. arts and crafts retailer, said it is investigating a possible breach on its network and advised customers to check financial statements for fraudulent activity.
The warning, which comes in the wake of the unprecedented breach at Target Corp over the holiday shopping season, suggests that hackers may be attacking retailers in a spree the extent of which is yet to be fully understood.
Target last month disclosed an unprecedented breach that resulted in the theft of some 40 million payment card records and another 70 million customers’ records. Luxury retailer Neiman Marcus said on Wednesday that about 1.1 million cards were accessed in a breach it had previously disclosed. The FBI last week warned retailers to expect more attacks.
On Saturday, Michaels said it was concerned it might have been among those who were attacked and was working with federal investigators and an outside forensics firm to determine if there had been a breach.
“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information,” Chief Executive Chuck Rubin said in the statement. “We are taking aggressive action to determine the nature and scope of the issue.”
The company said it decided to warn the public and launch a probe into the matter after hearing that there had been an increase in fraud involving cards of customers who had shopped at its stores.
It was not immediately clear how many cards might have been affected, when an attack might have occurred or whether the systems were currently compromised.
A company representative declined to elaborate on the statement provided to Reuters and said Rubin was not available to comment.
U.S. Secret Service spokesman Edwin Donovan told Reuters his agency was investigating the matter.
Michaels, while it had not yet confirmed that its systems had indeed been compromised, said: “We believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves.”
The timing is bad for Michaels, which last year filed to go public in an initial public offering and resubmitted its registration late last month.
If confirmed, this would be the second significant payment card breach at the retailer, whose two key investors are Blackstone Group LP and Bain Capital LP.
In a high-profile 2011 attack, hackers replaced some 84 PIN pads on payment-card terminals at a small number of its stores, resulting in the theft of about 94,000 payment card numbers, according to Department of Justice attorneys who eventually prosecuted two men charged in that case.
“This is devastating for them because this is the second time in a row,” said Gartner security analyst Avivah Litan. “The public and the credit card companies are going to slap their wrist twice as hard because they’ll say they haven’t learned their lesson and that they can’t be trusted.”
Last year Michaels settled a class-action consumer lawsuit related to the matter, without the company’s admitting to any wrongdoing.