Michaels Stores said that its debit card terminals were compromised in 20 states, yet fewer than 100 customer debit cards were reported as used in fraudulent transactions.
It said that customers who made PIN-based debit card purchases at Michaels from Feb. 8 through May 6 might have been victims.
The company is in the process of replacing store PIN pads with the "most current, tamperproof equipment available today," starting with those in the Chicago region, which was hit the hardest.
Michaels said it did not have details on how exactly the tampering occurred in the stores. "We have quarantined the devices and have turned several over to the Secret Service so they can examine them," said Doug Marker, vice president of loss prevention and safety for Michaels. "[We] have a forensics team examining the other affected devices as well."
"We are confident Michaels is a safe place to shop," Michaels Chief Executive Officer John Menzer said in a statement Friday. "We want to express how deeply we regret any issues experienced by our loyal customers who have been affected in any way, and thank all our customers for their support."
Michaels identified 90 key pads that were tampered with in the states of Illinois, Colorado, Delaware, Georgia, Iowa, Massachusetts, Maryland, North Carolina, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Utah, Virginia and Washington.
Michaels' checkout-line swipe terminals were probably tampered with or swapped out for other machines by thieves who stole account numbers and secret PIN codes, experts say. As a result, Michaels customers have reported that money was stolen from their bank accounts, often in the amount of $503, and often at cash machines in California.