Michaels Breach Results in Three Million Cards Compromised

US arts-and-crafts retailer Michaels Stores admitted last week that two security breaches that occurred over an eight-month period might have compromised more than 3m customer credit and debit cards. The company said it has received a “limited number of reports” from banks and payment card brands of fraudulent charges that may be connected to the breaches.

Michaels first learned of a possible breach at the end of January 2014. It was first reported by Brian Krebs of Krebs on Security, after several sources determined that hundreds of consumers whose cards had been used for fraudulent purchases had all recently shopped at Michaels.

Since then, Michaels has had two independent security firms investigating the incident. The investigation revealed that the retailer and its subsidiary, Aaron Brothers were attacked with “highly sophisticated malware” that neither security firm had ever encountered previously.

Michaels said that the affected systems contained customer card information, such as card numbers and expiration dates. However, the retailer said there was no evidence that names, addresses or PINs were compromised.

The Michaels breach targeted certain point-of-sale (POS) systems in the stores between May 8, 2013 and January 27, 2014. The retailer said that only about 7% of cards used in the stores were affected, however, that amounts to about 2.6 million cards. The affected stores have been posted on the Michaels website.

The Aaron Brothers breach is said to have impacted 54 stores from June 26, 2013 to February 27, 2014. Michaels estimates that about 400,000 cards were affected. A list of affected locations was posted on the Aaron Brothers website.

Michaels said it has now “fully contained” the incidents, and that the malware no longer poses any threat to customers. The retailer added that it would provide affected customers with fraud assistance, identity protection and credit monitoring services.

“In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance,” said Chuck Rubin, CEO of Michaels. “Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”

Krebs noted that this is the second time in the past three years that Michaels’s payment cards systems have been compromised. In May 2011, the retailer acknowledged that criminals had physically tampered with POS devices in some of its Chicago stores. Further investigation revealed that Michaels’ POS devices had been compromised across the US.


Related reading