Michaels assured customers a previously disclosed data security issue had been fully contained and raised the disconcerting prospect that it is only possible to make such a claim after a breach has been detected.
The company said in January that it learned of possible fraudulent activity on some U.S. payment cards that had been used at it stores. An extensive investigation ensued that involved two independent security firms who, along with the company, worked closely with law enforcement authorities, banks and payment processors to determine what happened.
What happened was criminals using highly sophisticated malware that Michaels said the security firms it retained had not previously encountered managed to breach its systems and potentially impacted 3 million payment cards used at its Michaels and Aaron Brother stores. The company operates more than 1,135 Michaels stores in 49 states and Canada and 119 Aaron Brothers stores in 9 states.
The investigation determined that the attacks at Michaels stores targeted a limited portion of point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014. The analysis conducted by the security firms and the company revealed approximately 2.6 million cards may have been impacted, representing about 7% of payment cards used at Michaels stores in the U.S. during the period of time when the attacks occurred. At the company’s Aaron Brothers stores, an estimated 400,000 cards were potentially affected between June 26, 2013 and February 27, 2014.
“Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused. We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring services,” said Michaels CEO Chuck Rubin. “Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers. In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”
With the issue now said to be fully contained and no longer a threat, the disconcerting issue for Michaels and really every retailer is that it took Michaels almost nine months to discover cyber criminals had breached its systems. The good news, if it can be called that, is that the bad guys apparently did little damage. According to Michaels, the affected systems contained certain payment card information, such as card numbers and expiration date, about both Michaels and Aaron Brothers customers, but there was no evidence that other customer personal information, such as name, address or PIN, was at risk. In addition, the company said it had received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.