Michaels Stores is the latest US retailer to suffer a security breach.
The firm said that about 2.6 million customer credit and debit cards used at its stores may have been affected in the breach, which took place between 8 May, 2013 and 27 January, 2014.
America's largest arts and crafts retailer said that its subsidiary Aaron Brothers had also been attacked, exposing information on an additional 400,000 cards.
Michaels Stores and Aaron Brothers had been "attacked by criminals using highly sophisticated malware that had not been encountered previously" by the security firms investigating the breach, the company said in a statement.
"The affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. There is no evidence that other customer personal information, such as name, address or PIN, was at risk..." the statement added.
This is the second known data breach since 2011 at Michaels Stores, which is planning an initial public offering (IPO). The firm resubmitted its IPO documents late last month after a restructuring.
Target Data Theft
In March, a US Senate report alleged that US retailer Target missed several opportunities to stop the hackers responsible for the unparalleled 2013 holiday shopping-season data theft.
There was no indication that America's second-largest discount retailer responded to warnings that malware was being installed on its system. Other automated warnings the company ignored, showed how the attackers would carry data out of Target's network, according to the report.
Reuters reported in January that three other well-known American retailers had suffered smaller breaches, carried out using similar techniques as the one on Target.
Earlier, in January, retailer Neiman Marcus revealed that it too had been a victim of a cyber attack.
Target discovered a major security breach in December 2013. Payment data from about 40 million credit and debit cards were stolen from Christmas shoppers at its stores over 19 days -- between 27 November and 15 December.
It has since been revealed that a further 70 million customer records with sensitive information such as names, telephone numbers and email addresses were also stolen.
Target has confirmed that cybercriminals used malware installed on Target's point-of-sale (PoS) cash register systems to siphon off the data.