Another data breach involving large US arts and crafts retailer

January 26, 2014 |

The Guardian reports in Michaels says it is investigating possible data breach affecting customer cards that Michaels, the biggest arts and crafts retailer, has been subject to a data security attack.

It provides:

Michaels, the biggest US arts and crafts retailer, said on Saturday it was working with federal law enforcement officials to investigate a possible data breach on its systems that process payment cards.

“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said the chief executive, Chuck Rubin, in a statement emailed to Reuters.

The company said it has also hired an outside forensics firm to investigate the matter.

If the company’s suspicions are confirmed, Irving, Texas-based Michaels would become the third major US retailer to be identified as a victim of a cyber attack since the middle of last month. Target Corp reported an unprecedented breach over the holiday shopping season and luxury chain Neiman Marcus disclosed that it suffered a smaller attack.

The FBI last week cautioned retailers to prepare for more attacks, saying it expects that hackers will succeed in using similar techniques to break into networks at other chains.

Michaels said in its statement that it had “recently learned of possible fraudulent activity on some US payment cards that had been used at Michaels, suggesting that the company may have experienced a data security attack”.

That statement quoted Rubin as saying that while the company had not confirmed that its systems had indeed been compromised, “We believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves.”

Target has said that some 40m payment card numbers and another 70 million customer records were compromised, while Neiman Marcus has said about 1.1m payment card numbers were taken.

Unlike many jurisdictions in the US there is no mandatory data breach notification laws in Australia. The Privacy Alerts Bill 2013, which would have made notification of some data breaches mandatory, failed to pass the Parliament last year.  Even though it had bipartisan support it lapsed when Parliament was prorogued.  That was unfortunate.  That mistake would be compounded if the current Parliament failed to reintroduce it this year and pass it without delay.

Leave a Reply

Verified by MonsterInsights