The Michaels craft-store chain reported that about 80 stores in 20 states have been hit by a card data stealing scheme that's much wider than previously reported. While the company didn’t give details on exactly how it happened, experts say it could be due to debit- and credit-card skimming, where thieves siphon off personal data from cards and then withdraw money from customer accounts.

Now the company is replacing PIN pads in stores after customers reported losing money due to the apparent card-skimming incidents. Consumer Reports, in its June issue, has an in-depth article explaining exactly why card-skimming keeps happening. In part it’s due to the vulnerable technology used by card companies for both credit and debit cards.

We also give advice on how consumers can protect themselves, as well as five things companies must do to protect customer data.

UPDATE: Michaels has issued a statement [PDF] noting that customer information was exposed in transactions from February 8, 2011, through May 6, when the retailer disabled PIN pads that had been tampered with at stores throughout the U.S.

The company has also provided a list of stores [PDF] where the compromised PIN pads were found.

The U.S. Secret Service is investigating the apparent widespread criminal skimming scheme. As of May 12, law enforcement officials have received fewer than 100 reports of customer PIN debit cards being used in fraudulent transactions. Though credit card information may also have been exposed, there have been no related reports of credit card fraud yet.

--Bob Tiernan