Michaels: Linked to Target Breach?

Experts Differ on Connection of Known, Suspected Retail Hacks
Michaels: Linked to Target Breach?

Experts disagree about whether a suspected payments breach at arts and crafts retailer Michaels could be connected to recent card breaches at Target Corp. and Neiman Marcus (see Retail Breaches: Congress Wants Answers).

See Also: OnDemand | Realities of Choosing a Response Provider

IntelCrawler, the California-based cyber-intelligence firm that earlier this month said it had identified at least six other retailers it expected to be targeted by similar point-of-sale malware attacks, tells BankInfoSecurity that Michaels is not believed to be one of those six.

"We can't confirm it," says Andrew Komarov, IntelCrawler's CEO. "Sometimes, such kind of incidents are random."

He adds that some retailers are targeted simply because they have lax security, which may have been the case with Michaels.

But financial fraud expert George Tubin, who serves as a senior security strategist for anti-malware and online security firm Trusteer, says the Michaels' attack seems to be more than a mere coincidence.

"The timing cannot be coincidental, especially given the lack of any specificity," he says.

On Jan. 25, Michaels issued a statement about a suspected breach, noting that it was working with federal law enforcement and third-party data security experts to establish the facts. But few details about the suspected attack itself were released.

"Based on the information the company has received and in light of the widely reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred," Michaels says.

Michaels has not yet confirmed a compromise of its systems, the company notes.

When reached for additional comment, a spokesman for Michaels said no additional details, beyond those contained in the statement, were being released at this time.

Tubin says all of these breaches are pushing retailers and the payments industry to take a closer look at the efficacy of the Payment Card Industry Data Security Standard (see Retailer Breaches: A PCI Failure?).

"All the effort, energy, and money that has gone into PCI, and this is what we get?" Tubin says. "Lots of folks tried to warn about the giant holes in PCI requirements, but they chose to look the other way. If any company had failed so epically, they'd be facing lawsuits or going out of business."

2011 Incident

If confirmed, this would be the second major payments breach Michaels has suffered. In 2011, banking institutions reported tens of thousands of fraudulent transactions linked to customers who had shopped at Michaels craft stores (see Michaels Breach: Fraudsters Sentenced).

POS and PIN-entry devices at 84 Michaels locations in 20 states were later found to have been swapped out with devices manipulated to collect card numbers and PINs. Investigators say 94,000 debit and credit cards were affected by the breach.

Based in Irving, Texas, Michaels has more than 1,105 craft stores in the United States and Canada.

(Jeffrey Roman, news writer, contributed to this story.)

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.