Michaels: Linked to Target Breach?Experts Differ on Connection of Known, Suspected Retail Hacks
Experts disagree about whether a suspected payments breach at arts and crafts retailer Michaels could be connected to recent card breaches at Target Corp. and Neiman Marcus (see Retail Breaches: Congress Wants Answers).
IntelCrawler, the California-based cyber-intelligence firm that earlier this month said it had identified at least six other retailers it expected to be targeted by similar point-of-sale malware attacks, tells BankInfoSecurity that Michaels is not believed to be one of those six.
"We can't confirm it," says Andrew Komarov, IntelCrawler's CEO. "Sometimes, such kind of incidents are random."
He adds that some retailers are targeted simply because they have lax security, which may have been the case with Michaels.
But financial fraud expert George Tubin, who serves as a senior security strategist for anti-malware and online security firm Trusteer, says the Michaels' attack seems to be more than a mere coincidence.
"The timing cannot be coincidental, especially given the lack of any specificity," he says.
On Jan. 25, Michaels issued a statement about a suspected breach, noting that it was working with federal law enforcement and third-party data security experts to establish the facts. But few details about the suspected attack itself were released.
"Based on the information the company has received and in light of the widely reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred," Michaels says.
Michaels has not yet confirmed a compromise of its systems, the company notes.
When reached for additional comment, a spokesman for Michaels said no additional details, beyond those contained in the statement, were being released at this time.
Tubin says all of these breaches are pushing retailers and the payments industry to take a closer look at the efficacy of the Payment Card Industry Data Security Standard (see Retailer Breaches: A PCI Failure?).
"All the effort, energy, and money that has gone into PCI, and this is what we get?" Tubin says. "Lots of folks tried to warn about the giant holes in PCI requirements, but they chose to look the other way. If any company had failed so epically, they'd be facing lawsuits or going out of business."
If confirmed, this would be the second major payments breach Michaels has suffered. In 2011, banking institutions reported tens of thousands of fraudulent transactions linked to customers who had shopped at Michaels craft stores (see Michaels Breach: Fraudsters Sentenced).
POS and PIN-entry devices at 84 Michaels locations in 20 states were later found to have been swapped out with devices manipulated to collect card numbers and PINs. Investigators say 94,000 debit and credit cards were affected by the breach.
Based in Irving, Texas, Michaels has more than 1,105 craft stores in the United States and Canada.
(Jeffrey Roman, news writer, contributed to this story.)