Michaels Confirms Data Breach

3 Million Payment Cards Potentially Affected
Michaels Confirms Data Breach

Arts and crafts retailer Michaels has now confirmed its stores were hit by a data breach that potentially compromised account information for 3 million payment cards.

See Also: 12 Top Cloud Threats of 2016

The breach, which involved "criminals using highly sophisticated malware," potentially affected about 2.6 million cards used at Michaels stores from May 8, 2013, through Jan. 27, 2014. The malware attack also affected Michaels' Aaron Brothers stores, where approximately 400,000 cards were potentially affected from June 26, 2013, through Feb. 27, 2014, the company said in an April 17 statement.

Michaels says breached systems contained certain payment card information, such as payment card numbers and expiration dates, for its customers. There is no evidence that other customer personal information, such as name, address or PIN, was at risk, the company says.

The company provided a list of affected U.S. Michaels stores and a list of affected Aaron Brothers stores.

Michaels acknowledges it has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to use at Michaels or Aaron Brothers stores.

Impacted customers are being offered a year's worth of free credit monitoring and fraud assistance services.

"We encourage you to actively monitor all of your payment card account activity and immediately contact your bank or card issuer if the you notice any suspicious activity," Chuck Rubin, CEO for Michael Stores, says. "In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. We are committed to working with other parties to improve the security of payment card transactions for all consumers."

The company owns and operates more than 1,135 Michaels stores in 49 states and Canada, and 119 Aaron Brothers stores in 9 states.

Incident Background

Michaels in January announced it had detected suspicious activity on its networks (see: Michaels Investigating Possible Breach).

Following that report, the company says it retained two independent security firms to conduct an extensive investigation. Michaels says it also has been working closely with law enforcement authorities and coordinating its investigation with banks and payment processors.

Experts disagree about whether the payments breach at Michaels could be connected to recent card breaches at Target Corp. and Neiman Marcus (see Michaels: Linked to Target Breach?).

Back in 2011, banking institutions reported tens of thousands of fraudulent transactions linked to consumers who had visited Michaels craft stores that were affected by another breach (see: Michaels Breach: Fraudsters Sentenced).

POS and PIN-entry devices at 84 locations in 20 states were later found to have been swapped out with devices manipulated to collect card numbers and PINs. Investigators say 94,000 debit and credit cards were affected by the breach.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network