More details were released this week about the credit card breach of arts-and-crafts retailer Michael’s. The security breach was first reported on January 25, 2014 by Brian Krebs of KrebsonSecurity.com. After several months of investigation, the Irving, Texas based company has confirmed that its POS systems were compromised between May 8, 2013 and January 27, 2014. The company’s systems were hacked by “highly sophisticated malware” that stole card numbers and expiration dates, but did not compromise customer PINs, addresses, or other personal information. Michael’s estimates that the breach affects approximately 2.6 million of its customers, along with 400,000 patrons of its sister company, Aaron Brothers.
In January, sources within several different payment processors tracked a chain of fraudulent activity associated with customer credit cards used at Michael’s Stores Inc. Chuck Rubin, CEO of Michaels, stated, “We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue.”
This is the latest credit card breach of a major retailer in the United States. Previously Target, JC Penny, and Neiman Marcus experienced large scale security breaches by aggressive malware.
The recent rash of credit card breaches, has many consumers wary of card purchases and has put a spotlight on the issue of card provider and retailer security. Investigators noted that the Neiman Marcus and Target breaches seem to have occurred within days of each other, but were hesitant to claim that the same group was responsible for both breaches. To date, the attacks on the Neiman Marcus system have been traced to a Russian syndicate that has stolen over 160 million credit card numbers from retailers over the last 7 years.
It is now believed that two separate, less experienced groups were responsible for the Target and Michaels credit card breeches. Conversations about how to stop such breeches, have yet to reach any type of consensus. In the current technological environment, even the most inexperienced hackers have access to simple and cheap tools that are designed to install malware. Many of these tools are created and thrive in Eastern Europe.
“We’re now expanding the base of criminals that are committing these types of attacks. They used to be limited to the best of the best, “said Kimberly Peretti, a former cybercrime prosecutor at the Justice Department.
Neiman Marcus sent a letter to over a million customers whose payment-card information may have been compromised. “Although various investigations are still ongoing, we were notified that malicious software (malware) was downloaded onto our system. This malware actively may have attempted to collect or ‘scrape’ payment card data from July 16, 2013 to October 30, 2013. During this time approximately 1,100,000 customer payment cards may have been visible to the malware. So far, Visa, MasterCard and Discover have notified our company that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were used fraudulently.”