Michaels: Why So Long to Report Breach?Experts Question Delay in Detection, Links to Other Attacks
Although it announced in January that it had detected suspicious activity on its network, the company did not reveal until April 17 that an investigation confirmed a breach potentially compromised account information for 3 million payment cards (see Michaels Confirms Data Breach).
Some security experts argue that what Michaels portrayed as a "highly sophisticated malware" strain may have eluded detection. But others says Michaels should have been able to detect the breach much sooner.
Analysts also are raising questions about whether the Michaels incident is linked to recent breaches suffered by other retailers, including Target Corp. and Neiman Marcus. And one card issuer says banks and credit unions should not be too quick to reissue cards to individuals affected by all of these breaches until they have all of the incident details.
When asked about why the breach took so long to confirm and whether the malware used was linked to other attacks, Michaels declined to comment. But in the company's April 17 statement, Michaels CEO Chuck Rubin said the company needed time to collect forensic evidence.
"In January, we notified you that we might have experienced a data security incident," Rubin states. "We wanted you to know quickly so you could take steps to monitor activity on your payment card account. Since that time, we have continued our extensive investigation with the help of two independent, expert security firms. We have also been working closely with law enforcement authorities and coordinating with banks and payment processors to determine the facts."
Sizing Up the Investigation
John Buzzard, who oversees FICO's Card Alert Service, notes: "It certainly sounds like Michaels' inability to identify this latest breach for such a long time could be attributable to one of the malware strains that have plagued other retailers. Malware strains are being proliferated so quickly that it's impossible to stay ahead of the curve."
The payments industry should brace itself for more customized malware-related attacks that defeat conventional detection systems and processes, Buzzard says.
Alan Brill, senior managing director of security solutions firm Kroll Cyber Security, says forensics investigations take time, and public expectations of breach confirmation can be unrealistic, depending on the severity of the attack.
"While I can't comment on the particulars of this case, it's important to remember that computer forensics is not a magic or instant solution to an incident," he says. "It takes a certain amount of time to go through what can be mountains of data looking for the anomalies. Once forensics has provided information, a company has to evaluate how to integrate that data into their response reporting."
When it comes to detecting and then analyzing never-before-seen malware, the amount of time organizations need can greatly vary, Brill says.
"The lens that Michaels must look through - as would anyone hit by this kind of attack - is that of understanding both how the malware was introduced into the POS system and why it was able to execute successfully," he says. "An interruption of the infection cycle might have reduced the impact, or stopped the malware from getting the data."
Took Too Long?
But financial fraud expert Shirley Inscoe, an analyst for the consultancy Aite, says it should not have taken Michaels, which suffered another POS breach back in 2011, so long to confirm its attack (see Michaels Breach: Fraudsters Sentenced).
"I don't understand why it took so many weeks for Michaels to confirm the breach that was reported in January," she says. "It seems these retailers - Michaels, Target, Neiman Marcus, etc. - would start investing in security if they all care as much about their customers as they claim to."
Al Pascual, senior analyst of security, risk and fraud for consultancy Javelin Strategy & Research, also questions why Michaels did not confirm the breach sooner.
"Considering that Michaels suffered a significant breach only a few years ago, I'm surprised that they were caught off-guard again," he says. "The rash of POS malware variants [hitting] retailers late last year prompted a significant response from the Secret Service, and the Michaels breach may have been a later discovery, which delayed the public disclosure as the Secret Service attempted to tie this case into their investigation."
Connecting the Attacks
Experts also question whether the Michaels breach is related in some way to other recent retailer breaches.
In early April, a Bloomberg news report, quoting unnamed sources close to the investigation, said the attacks on Neiman Marcus and Target were not believed to be linked. Sources in that report suggested the same crime ring responsible for the 2008 network intrusion that compromised Heartland Payment Systems Inc. was likely responsible for the Neiman Marcus breach (see Neiman Marcus Tied to Heartland Breach?).
But Pascual believes all of the recent retail breaches are likely connected, and that more retailers will soon reveal they have been breached as well.
In fact, he says industry contacts suggest that up to 40 retailers were targeted by the same group of criminals, and that the Target and Neiman Marcus breaches were just among the first to be detected.
"Given the similar M.O. [modus operandi], which involves cybercrime groups leveraging custom malware for hire, and the delayed announcement from Michaels, I don't doubt that this is one of the 40 as well," Pascual says.
In the wake of retail breaches, banking institutions might be well-advised to wait until they can group debit and credit cards linked to multiple breaches before they reissue cards, says one executive with a leading U.S. bank, who asked not to be named.
"About a quarter of Michaels' exposed cards are also in the Target [group]," this executive says. "So prioritizing reissue based on that overlap seems to make sense, since the odds on the overlap having later fraud are much greater."
The executive also notes that issuers should wait until they get specific compromise date ranges for cards impacted by retail breaches before they start reissuing cards.
"The number of accounts previously reported by the networks as exposed [in the Michaels breach] is dwarfed by the number they have now reported, by a factor of 6 or 7 to 1," the executive says.
And Brill says retailers must determine the best ways to secure their POS networks based on a number of factors.
"Each company has to evaluate how to best secure its network - to look at the various versions of monitoring systems that tell you that something unusual has happened and figure out how alternative ways of white-listing can prevent unexpected software from running," he says. "Depending on how a company's network is architected, there will be a range of approaches that might be appropriate for incident prevention, detection and response. Selecting the combination of methods in a particular situation is a key to developing a commercially reasonable level of protection."