A dozen South Carolina stores operated by the arts-and-crafts retailer Michaels were affected by a widespread data security breach, an internal investigation has found.

On the web

To see the list of all affected stores and other details about the data breach, go to Michaels.com and click on the notice near the top of the home page: "Important Notice about Certain Customer Payment Card Information."

A breakdown posted online shows 30 separate incidents at the 12 Palmetto State locations, including Michaels outlets in Mount Pleasant and North Charleston, from last May to January.

The "potential dates of exposure" ranged between one month and five months, the company said.

The Michaels in Mount Pleasant at 1501 Highway 17 showed four possible breaches starting May 8 and ending Jan. 19.

The Irving, Texas-based chain said its North Charleston store at 7620 Rivers Ave. had one period of potential exposure, starting May 8 and ending July 29.

The other affected South Carolina locations are in Anderson, Bluffton, Columbia. Greenville, Greenwood, Myrtle Beach, Rock Hill, Spartanburg and Sumter.

Michaels announced it was investigating a possible data hack in January.

In a statement posted on its website, Michaels said that two security firms it has hired found evidence of a breach at Michaels and at another business it owns, Aaron Brothers. It involved "highly sophisticated malware that had not been encountered previously by either of the security firms," the company said.

The hack was traced to electronic point-of-sale devices, where customers swipe credit cards and debit cards to pay for their purchases. It has been contained, Michaels Stores Inc. said in a statement

"The affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers," the company said. "There is no evidence that other customer personal information, such as name, address or PIN, was at risk in connection with this issue."

The company said it investigation determined that about 2.6 million cards could have been compromised over the nine-month period, or about 7 percent of the total used at Michaels' 1,135 U.S. stores during that time. It didn't provide a state-by state breakdown.

It also said it has "received limited reports of fraud" but did not elaborate. Michaels is offering free identity protection, credit monitoring and fraud assistance services to affected U.S. customers for a year.

The Michaels report comes as many shoppers worry about the safety of their personal data following a massive pre-Christmas security breach at retail giant Target Corp. In that case about 40 million debit and credit cards were affected.

Contact John McDermott at 937-5572.