Digital Transactions Authoritative, insightful and timely information for payments professionals
Seemingly confirming predictions from law enforcement and data-security executives in private industry that more data breaches beyond the recent ones at Target Corp. and Neiman Marcus Group are coming, arts-and-crafts retailer Michaels Stores on Saturday warned that “we may have experienced a data-security attack.”
Plano, Texas-based Michaels alerted consumers to the apparent new breach Saturday in a press release and letter from chief executive Chuck Rubin posted on its Web site. “We recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data-security attack,” the letter says. “We are working closely with federal law enforcement and are conducting an investigation with the help of third-party data-security experts to establish the facts. Although the investigation is ongoing, based on the information we have received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, we believe it is appropriate to notify our customers that a potential issue may have occurred.”
The company did not clearly state whether the apparent breach is actually over. In a question-and-answer section after Rubin’s comments, the letter asks, “Is it safe to use a payment card at Michaels?” Answer: “The company has taken steps to contain this issue and is continuing to address it aggressively.” A Michaels spokesperson could not be reached for comment Sunday.
The letter gave no details about when or how the apparent breach happened, or the types of cards involved, or their number. Rubin said “we deeply regret any inconvenience this may cause.” Michaels recommended that customers monitor their account statements for suspicious activity and said it would provide free identity protection and credit-report monitoring to affected customers.
Michaels posted the letter after the KrebsOnSecurity blog, which broke the news of Target’s breach last month, inquired about reports it heard from executives at four financial institutions that new fraud on cards was being traced by to cards consumers used at Michaels. Krebs said the retailer has hired a public-relations firm specializing in crisis communications.
Michaels is the largest craft-store chain in the U.S., operating 1,137 Michaels stores in the U.S. and Canada as well as 122 Aaron Brothers framing shops, according to the Dallas Morning News. If confirmed, the new breach would be the second card compromise at the firm in three years. In 2011, Michaels replaced 7,000 PIN pads in its stores after finding skimmers on fewer than 90 terminals.
The FBI recently warned retailers to prepare for more cyber attacks involving the same kind of memory-parsing malicious software used in Target’s massive data breach, Reuters reported. The FBI said in a confidential report seen by the news agency that it had discovered about similar 20 hacking cases in the past year and that point-of-sale “malware crime will continue to grow over the near term, despite law enforcement and security firms’ actions to mitigate it.”
n
