Back in January, Michaels Stores Inc. confirmed that it was working with federal law enforcement and conducting an investigation with the help of two independent, expert security firms into the possible fraudulent activity on some U.S. payment cards.

The U.S. Secret Service also confirmed that it was investigating a potential data breach at the Irving, Texas-based art-and-crafts chain store. Read: Michaels May Be the Latest to Be Hit in Retail Hack,

Now months later, Michaels has confirmed that its systems in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware. Even more, this malware had not been encountered previously by the security firms investigating the breach.

The company has now identified and fully contained the incident.

The affected systems contained certain payment card information about both Michaels and Aaron Brothers customers, such as payment card number and expiration date, according to the company. There is no evidence to suggest that the hackers obtained other personal information like PIN numbers, names and addresses.

“The attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014,” states the company’s announcement. “Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue.”

Approximately 2.6 million cards may have been impacted, which represents about 7 percent of payment cards used at Michaels stores in the U.S. during the relevant time period, the company revealed. As for Aaron Brothers, 54 stores were affected by malware between June 26, 2013 and February 27, 2014. The company estimates that around 400,000 cards were potentially impacted during this period.

Michaels’ announcement said that it has provided data about potentially affected cards to the relevant card brands so they can take appropriate action. The good news here is that Michaels has only received a limited number of reports from the payment card brands and banks regarding fraudulent use of payment cards potentially connected to to the two stores.

“Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused. We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring services. Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers,” said Chuck Rubin, Michaels CEO. “In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”

Customers who have questions or would like more information, can call (toll-free): 1-877-412-71451-877-412-7145, Monday through Saturday from 8 a.m. to 8 p.m. CDT.