More Details Released about Michael’s Credit Card Breach

More details were released this week about the credit card breach of arts-and-crafts retailer Michael’s. The security breach was first reported on January 25, 2014 by Brian Krebs of After several months of investigation, the Irving, Texas based company has confirmed that its POS systems were compromised between May 8, 2013 and January 27, 2014. The company’s systems were hacked by “highly sophisticated malware” that stole card numbers and expiration dates, but did not compromise customer PINs, addresses, or other personal information. Michael’s estimates that the breach affects approximately 2.6 million of its customers, along with 400,000 patrons of its sister company, Aaron Brothers.

In January, sources within several different payment processors tracked a chain of fraudulent activity associated with customer credit cards used at Michael’s Stores Inc. Chuck Rubin, CEO of Michaels, stated, “We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue.”

This is the latest credit card breach of a major retailer in the United States. Previously Target, JC Penny, and Neiman Marcus experienced large scale security breaches by aggressive malware.

The recent rash of credit card breaches, has many consumers wary of card purchases and has put a spotlight on the issue of card provider and retailer security. Investigators noted that the Neiman Marcus and Target breaches seem to have occurred within days of each other, but were hesitant to claim that the same group was responsible for both breaches. To date, the attacks on the Neiman Marcus system have been traced to a Russian syndicate that has stolen over 160 million credit card numbers from retailers over the last 7 years.

It is now believed that two separate, less experienced groups were responsible for the Target and Michaels credit card breeches. Conversations about how to stop such breeches, have yet to reach any type of consensus. In the current technological environment, even the most inexperienced hackers have access to simple and cheap tools that are designed to install malware. Many of these tools are created and thrive in Eastern Europe.

“We’re now expanding the base of criminals that are committing these types of attacks. They used to be limited to the best of the best, “said Kimberly Peretti, a former cybercrime prosecutor at the Justice Department.

Neiman Marcus sent a letter to over a million customers whose payment-card information may have been compromised. “Although various investigations are still ongoing, we were notified that malicious software (malware) was downloaded onto our system. This malware actively may have attempted to collect or ‘scrape’ payment card data from July 16, 2013 to October 30, 2013. During this time approximately 1,100,000 customer payment cards may have been visible to the malware. So far, Visa, MasterCard and Discover have notified our company that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were used fraudulently.”


Breach in Target Security Shows Possibility that PCI is not Properly Set Up for Merchants


After the Target credit card breach was first reported by Brian Krebs on December 18, 2013 on the KrebsonSecurity blog, he made sure to mention that the breach took place at the store’s physical locations, and did not involve its e-commerce site. Details about the security breach that were reported in the media stated that it found that the Target credit card breach rivaled the 2007 TJX Companies breach involving T.J. Maxx in 2007 where an estimated 100 million card numbers were stolen, and the Heartland Payment Systems Inc. breach in 2009. After the T.J. Maxx breach, PCI, Visa, and MasterCard became so alarmed, that they wrote the rules of PCI compliance and the meaning of PCI compliance. As a result, every retailer and other card processing entity became subject to far more strenuous rules in order to become PCI compliant.

After Target confirmed the breach on the day after the release of Krebs’ blog post, Visa Inc. and MasterCard Worldwide issued statements to The Green Sheet stating that they both offer zero liability protection against fraudulent purchases for their cardholders, while a payments industry told The Green Sheet that the issue of security weaknesses lie with the retailer, and are not that of the payment providers. They believe that this shows that the PCI Security Standards Council should focus on the retail sector, especially considering the recent breaches have occurred in physical merchant locations and not online. Merchants state that the breaches show that it is clear that “PCI and its program is not properly set up for the retail location. And what they really need to do is stop basically bullying companies like us.”

Speculation has risen that the Target card credit breach must have been an inside job. Versus other security breaches that occurred in 2013, such as those that occurred at Schnuck Markets Inc., Zaxby’s Franchising Inc., and other retailers, the Target breach occurred quickly over a two week period, whereas the other breaches happened over extended periods of time. Critics believe that this shows that   the attack was coordinated and in-depth, making the idea that it was an inside job feasible.

For more on High Risk Processing click below