US Retail Cybersecurity Woes Continue


US retailers continue to face scrutiny over failing to protect customer card data. A potential third data breach is being investigated, while disturbing details on the other two continue to emerge.

Frauds & Crafts: Michaels Possibly Breached

The US Secret Service is investing a possible security breach at Michaels Stores Inc., a Texas-based arts-and-crafts retail giant with more than 1,250 stores in the United States.

If the attack is confirmed, it would be the third reported data breach of a major US retailer since December. However, some experts maintain that as many as six major retailers have actually been hacked.

As first reported by Brian Krebs of Krebs on Security, several sources determined that hundreds of consumers whose cards were used for fraudulent purchases over the past few days had all recently shopped at Michaels. The fraudulent purchases were taking place primarily at big box retailers like Target and Best Buy, as well as another arts and framing store called Aaron Brothers, which is wholly owned by Michaels.

“It really does look like kind of the way we saw the Target breach spin up, because the fraud here isn’t limited to one store or one area, it’s been all over the place,” a fraud analyst for a large credit card processor told Krebs.

Michaels eventually issued a statement on 25 January, explaining that it has learned of possible fraud on payment cards that had been used in its store, “suggesting the company may have experienced a data security attack.”

Michaels said it is working with law enforcement and third-party data security experts to determine whether there was a data security attack on its systems.

Up to 1.1 Million Neiman Marcus Customers Compromised

High-end retailer Neiman Marcus admitted on 27 January that more than a million of its customers’ cards may have been compromised in its recent data breach.

In a statement on its website, Neiman Marcus explained that the malware, which collected or ‘scraped’ credit card data from its systems between 16 July 2013 and 30 October 2013 may have compromised more than 1.1 million cards. “To date, Visa, MasterCard and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently,” the retailer explained.

According to the retailer, social security numbers and birthdates were not compromised. personal identification numbers (PINs) are also apparently not at risk because Neiman Marcus does not use PIN pads in its stores. Additionally, online customers, as well as shoppers who use Neiman Marcus and Bergdorf Goodman cards, do not appear to have been affected.

Target Faces Pressure from Congress

John Mulligan, Target’s executive vice president (EVP) and chief financial officer (CFO), has been called to testify before the US Senate Judiciary Committee on 4 February about the retailer’s massive data breach, Reuters reported.

Representatives from the Secret Service and the Department of Justice, both of whom are investigating the breach, are expected to testify at the hearing. The Federal Trade Commission, who may investigate Target if the retailer is found to have improperly protected customer data, is also scheduled to testify.

Meanwhile, Henry Waxman (D-CA), Chairman of the House Energy and Commerce Committee, has demanded Target chief executive (CEO) Gregg Steinhafel turn over a plethora of documents related to the causes and impacts of the breach, including emails, analyses and internal reports. The House also has a hearing planned for early February.

With Congress applying more scrutiny over these breaches, retailers could find themselves on the hook. Randy Sabett, counsel at ZwillGen PLLC, told gtnews that historically, banks have been left “holding the bag” in many of these breach cases.  “It’s something [banks] have fought for many years, mostly through litigation,” he said. “That’s part of the reason why the Minnesota legislature was convinced by the banking lobby to include a provision in their plastic card law that imposes an obligation on a breached entity to cover the costs associated with replacing cards when a breach occurs.”

However, Sabett emphasised that it is important for Congress to strike the right balance here; placing the burden solely on retailers might not be fair either. “I think Congress has a challenging task ahead to draft something that will be fair to everyone,” he said.


Related reading