Michaels Breach: 4 Suspects SoughtOre. Police Target Fraudsters; More Lawsuits Filed
Police in Beaverton, Ore., are investigating 50 fraud reports related to the breach, which Michaels has confirmed likely compromised debit accounts in 20 states.
Now Beaverton police say they are enlisting the public's help to identify four suspects who were caught on camera using fake or white cards, created from card details skimmed at area Michaels stores, at Oregon ATMs. "The suspects involved in these fraudulent crimes are from a larger organization which allows multiple crews to work numerous areas and move around quickly," Beaverton officer Pam Yazzolino with the Beaverton Police Department told local news media.
The breach, which at first was suspected of only affecting a select group of Chicagoans, quickly grew to become one of the most widespread incidents of POS PIN pad swapping the U.S. payments industry has ever seen. [See 3 Tips to Foil POS Attacks.]
The Secret Service continues to investigate; and on May 12, Michaels issued a statement saying it suspected purchases conducted only between Feb. 8 and May 6 had been exposed. After May 6, all U.S. POS terminals were replaced.
More Lawsuits FiledLawsuits against the Texas-based crafts chain continue to multiply. Two additional federal suits, bringing the tally to four, were filed earlier this month. The suits' claims range from inadequate customer protections and lacking reasonable security measures to poor breach notification policies and a seemingly nonchalant attitude about the stress the breach has placed on Michaels customers.
In one of the newest suits, filed by Chicago resident Kimberly Siprut, the plaintiff claims "Michaels has done nothing to remedy the breach or assist consumers who have suffered harm, and who continue to face a real and immediate threat of future harm." Siprut says Michaels' advice about the need for customers to "protect themselves" and "seek advice" on their own about how to respond to personal consequences which could result from the breach, such as identity theft, shows disregard.
In the other recent suit, filed by Jeremy Williams, who also resides in Illinois, the plaintiff claims Michaels should have taken steps to notify all of its customers via e-mail soon after the breach was detected. "It did not otherwise pursue commercially reasonable measures to notify its customers about the security breach," Williams' complaint states. "Michaels' email alert failed to provide timely and clear notification to anyone, thereby preventing customers from taking meaningful, proactive steps to secure their financial data and bank accounts."
Mike Veitenheimer, Michaels general counsel, says the retailer supports the actions it took post-breach. "We do not discuss the specifics of pending litigation. However, as it has been widely reported, Michaels acted quickly and aggressively to alert consumers nationwide of the problem and to secure its stores," Veitenheimer says. "In fact, the Secret Service, which is investigating this issue, has commended Michaels for its quick public response, and we continue to aid them and the banks in their investigations."
In May, Chicago resident Brandi Ramundo filed a federal suit against the crafts retailer, claiming it should have done more to protect its customers' cards from breach and compromise. [See Michaels Breach: Who's Liable?]
Earlier this month, Mary Allen of Chicago suburb Libertyville, Ill., took a different approach, claiming Michaels took too long to notify customers after the breach. Allen also claims Michaels' notification measures violated the Federal Stored Communications Act and the Illinois Consumer Fraud and Deceptive Practices Act.
Allen, Ramundo and Siprut have joined forces in a class action suit against Michaels.
Liability and 'Reasonable' Notification
Randy Sabett, partner and co-chair of the Internet and Data Protection practice at law firm SNR Denton LLP, says the cases could set an interesting precedent about retailer liability after a breach.
"There is a lot of entanglement in the credit card industry," Sabett says. "It all goes back to the contract. ... The way most of these contracts are written, the retailers aren't liable."
Breach notification is another gray area, says Linda Foley, co-founder of the non-profit Identity Theft Resource Center. Forty-six U.S. states currently have breach-notification laws on the books, but no law is the same, and enforcement is weak.
Both Illinois, the state where Allen's card was compromised, and Texas, the state where Michaels is based, have breach notification statutes on the books. In Illinois, companies are required to notify consumers of breaches that expose personal information within a "reasonable" period of time. In Texas, the law reads in a similar way, saying companies should notify the public as quickly as possible.
"Forty-six states currently have mandatory reporting, but only three or four have public websites where the public can see the notices that have come into the state's attorney general's office," Foley says.
Until a national act passes, cases like Michaels could set legal precedent about what is considered reasonable and sufficient when it comes to notification. "Our goal is to have a government agency post the information so that the public has the opportunity to see what is going on and find out the information for themselves," Foley says.