SHARE Click image to enlarge. Blow The Whistle Got a tip? Do you have an issue with government or a local business or a story idea for Public Investigator? E-mail us at watchdog@ journalsentinel.com, or call (414) 224-2318. The PI Blog Taking tips, chasing leads, solving problems. Our Watchdog team commits to investigating problems that affect you. GO TO BLOG

By of the

Michaels Stores Inc. confirmed Thursday that 17 Wisconsin arts and crafts stores are among the locations hit by a data breach that happened in 2013 and early 2014, affecting an estimated 2.6 million credit and debit cards.

Michaels said hackers stole payment card numbers and expiration dates by using malware. Michaels is offering free identity theft protection, credit monitoring and fraud assistance for a year to its customers.

The data breach also affected some 400,000 cards used at 54 stores of Michaels' subsidiary, Aaron Brothers, but there are no such locations in Wisconsin.

Michaels said only payment card numbers and expiration dates of cards was stolen.

"There is no evidence that other personal information of these customers, such as name, address or PIN, was at risk in connection with this issue," Michaels said.

The Wisconsin locations affected by the data breach are in Brookfield, Brown Deer, Eau Claire, Germantown, Grafton, Grand Chute, Green Bay, Janesville, Madison, Middleton, Milwaukee, Mount Pleasant, New Berlin, Onalaska, Plover, Wausau and West Allis, according to a document on Michaels Stores' website. All of them had credit or debit card breaches from May 8, 2013, to July 29, 2013.

In addition to those dates, Michaels stores in Brown Deer, Germantown, Grand Chute, Janesville, Middleton, Mount Pleasant, Onalaska and Plover were also hit Oct. 17, 2013, to Nov. 24, 2013, and Dec. 11, 2013, through Jan. 19.

Three stores were affected for a fourth period as well: Germantown and Grand Chute from Aug. 13, 2013, through Oct. 7, 2013, and Mount Pleasant from Aug. 30, 2013, through Oct. 7, 2013. The address of each store can be found on Michaels' website.

The 2.6 million cards represent 7% of the payment cards used at the stores during the relevant time, Michaels said.

Michaels is offering a year of free identity theft protection and credit monitoring services to its customers through AllClear ID. Target similarly offered a year of free credit monitoring after its data breach in November and December.

Breach has stopped

Michaels said the breach has now been stopped.

"We have now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brothers," the company said.

Michaels Stores chief executive officer Chuck Rubin emailed a warning to customers Jan. 25, asking them to watch their account statements for possible unauthorized charges in light of "possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data security attack."

At the time, Michaels wouldn't confirm an attack, pending the outcome of an investigation by two independent expert security firms as well as investigations by law enforcement. The security companies have since confirmed the data security issue, Michaels said in a notification on its website Thursday.

It's the second time in three years that Michaels was hit by hackers. In May 2011, Michaels said criminals physically tampered with some payment terminals at some stores, including in Chicago.

Michaels recommends that customers request a free credit report at www.annual

creditreport.com or by calling (877) 322-8228. That service is not offered by Michaels but is a national requirement of the three credit reporting agencies.

What to look for

Customers are encouraged to watch their credit report for:

■ Accounts they didn't open.

■ Names of creditors listed although the consumer didn't request credit from them.

■ Inaccuracies, such as home address and Social Security number.

Consumers who see anything unusual in their reports should report it to the credit bureaus so it can be investigated and corrected. Unauthorized charges should be reported to the financial institution that issued the card as well as police.

Consumers can also consider placing a fraud alert on their credit file by calling each of the credit bureaus. A fraud alert will ensure that any creditor is notified of potential fraud in case someone tries to apply for credit using the consumer's name.

Equifax: (800) 525-6285.

Experian: (888) 397-3742.

TransUnion: (800) 680-7289.

Michaels customers who have questions can call Michaels toll free at (877) 412-7145 Monday through Saturday from 8 a.m. to 8 p.m. Central Time. More information about how to sign up for the free credit monitoring and identity theft protection is available on Michaels' website at www.michaels.com.

Consumers should be aware of phishing attacks in unsolicited emails. Michaels said it will not ask for personal information in an email or by phone.

For more consumer stories, tips, scam alerts and the occasional freebie, visit the Public Investigator blog at jsonline.com/piblog.

Facebook: fb.me/GitteLaasbyPage

Twitter: @GitteLaasbyMJS