Significant data breach to craft store chain in the USA leads to credit and debit card information of 3 milliion customers being stolen

April 20, 2014 |

On 26 January 2014, in Another data breach involving large US arts and crafts retailer, I posted on Michaels a craft chain store detecting a data breach. It had notified the FBI and was investigating.  There has been some further information provided.  In Michaels says nearly 3 million customers hit by data breach, the Washington Post reports that the data breach involved the theft of information from 3 million customers.  What is clear from the story is that the information security system was woefully inadequate and remained so for a month after the announcement of the data breach.

It provides:

Michaels has confirmed that credit and debit card information was stolen from 3 million customers who shopped at some of its stores during an eight-month period.

The craft-store chain initially confirmed the data breach in January but gave few details of what occurred or how many customers were affected.

In the update, released late Thursday, the firm said criminals broke into its payment system last year, targeting the point-of-sale machines.

The malware affected customers who used their credit or debit cards to shop at Michaels between May 8, 2013, and January 27, 2014, a total of 2.6 million cards, the company said. Data from an additional 400,000 cards at its subsidiary Aaron Brothers were stolen from those who shopped between June 26, 2013, and February 27, 2014.

Michaels posted a list of affected stores on its Web site, which includes 23 stores in Maryland and eight in Northern Virginia. The retailer does not have any locations in the District.

News of the breach was first reported Jan. 25 by security blogger Brian Krebs. But the dates released by the retailer Thursday show that customers were vulnerable to attack for up to a month after the announcement. The company did not address the lag in its statement.

Michaels is one of several major retailers — including Target and Neiman Marcus — that were hit by cyberattacks during the past year. The breaches have sparked debates in Washington on the vulnerability of the nation’s magnetic-stripe payment card system and the need for a uniform breach-notification law that would require companies to tell their customers as soon as they discover an attack. Currently, companies are governed by a patchwork of state-level laws.

“This is just one more reason that we need federal data-breach legislation,” said Delara Derakhshani, policy counsel for Consumers Union, an advocacy group. “We have to raise the standards of accountability for retailers such as Michaels, Target or Neiman Marcus.”

Lawmakers have held hearings on Capitol Hill and floated multiple bills supporting federal legislation. Retailers and banks formed a working group this year to combine information and security measures that may help prevent attacks.

But there has been little progress on the issue.

“The ideal solution is going to be one that gleans from all of these bills,” Derakhshani said.

In its update to customers, Michaels did not elaborate on the nature of the attack but said criminals used a “highly sophisticated malware that had not been encountered previously” by either of the security firms investigating the breach. Michaels said it hired two independent security firms to investigate the attack — which is the company’s second data breach in three years.

The stolen information at Michaels and Aaron Brothers includes credit and debit card numbers and expiration dates. Customer names, Personal Identification Numbers (PINs) and addresses were not affected, the company said.

“With this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers,” Michaels chief executive Chuck Rubin said in a statement.

The company has received “limited reports” of fraudulent activity, he said, and is offering customers free credit-monitoring services for one year.

The retailer’s last breach occurred in May 2011, when criminals tampered with 90 PIN pads at stores across the country to steal customers’ payment card information. At the time, the company said fewer than 100 customers reported fraudulent activity as a result of the attack.

Leave a Reply