CHICAGO -- Michaels Stores said Friday that while its debit card terminals were compromised in 20 states, fewer than 100 customer debit cards have been reported as used in fraudulent transactions.
It also identified the time frame that customer information was exposed. Customers who made PIN-based debit card purchases at Michaels from Feb. 8 through May 6 might have been victims.
The company is in the process of replacing store PIN pads with the "most current, tamperproof equipment available today," starting with those in the Chicago region, which was hit the hardest.
Michaels said Friday it did not have details on how exactly the tampering occurred in the stores. "We have quarantined the devices and have turned several over to the Secret Service so they can examine them," said Doug Marker, vice president of loss prevention and safety for Michaels. "(We) have a forensics team examining the other affected devices as well."
A Secret Service spokesman has said repeatedly the agency will not comment on the matter because it's an ongoing investigation.
"We are confident Michaels is a safe place to shop," Michaels Chief Executive Officer John Menzer said in a statement Friday. "We want to express how deeply we regret any issues experienced by our loyal customers who have been affected in any way, and thank all our customers for their support."
Michaels identified 90 key pads that were tampered with in the states of Utah, Illinois, Colorado, Delaware, Georgia, Iowa, Massachusetts, Maryland, North Carolina, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Virginia and Washington.
Illinois was hardest hit, with PIN pads compromised in 14 Michaels stores, all in the Chicago region.
Michaels' checkout-line swipe terminals were probably tampered with or swapped out for other machines by thieves who stole account numbers and secret PIN codes, experts say. As a result, Michaels customers have reported that money was stolen from their bank accounts, often in the amount of $503, and often at cash machines in California.
Michaels also said Friday that while credit card information may also have been exposed during that time frame of the fraud, law enforcement officials have not received reports related to credit card fraud.