HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED 14 MINUTES AGO.
You are here: Home / Customer Service / Michaels: Nearly 3M Cards Breached
Neustar, Inc.
Protect your website & network using real-time information & analysis
www.neustar.biz
Michaels Says Nearly 3M Credit, Debit Cards Breached
Michaels Says Nearly 3M Credit, Debit Cards Breached
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
APRIL
18
2014



Michaels Stores is offering new insight into a headline-making data breach that was first announced in the shadows of the massive Target leak. While the Target leak left 70 million consumers exposed to cybercriminals, as many as 3 million customer credit and debit cards were breached in the Michaels event.

That news begs the question: If large retailers like Target can’t prevent data breaches, do smaller retailers like Michaels stand a chance?

Michaels first reported the data security issue in January after learning about possible fraudulent activity on some U.S. credit and debit cards used at its stores.

Between then and now, Michaels hired two independent security firms to undertake an investigation. The nationwide arts and crafts chain said it has also been working with law enforcement officials, as well as coordinating with banks and payment processors, to solve the puzzle. The company also apologized -- again.

“Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused,” said Chuck Rubin, CEO of Michaels. “We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring services. Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers.”

Bad News, Good News

With that said, here’s what the investigation uncovered: Criminals did indeed attack systems of Michaels and its subsidiary, Aaron Brothers, using sophisticated malware. Neither security firm had run into the malware before. That’s the bad news. The good news is the incident has been contained and the conclusions are shedding light on how to help prevent these attacks in the future.

For example, we now know that the affected systems held debit and credit card information, such as numbers and expiration dates. However, there is no evidence that other customer personal information, such as names, addresses or PINs, was stolen.

The attack on Michaels targeted a small number of point-of-sale systems at stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used at those stores during that period was impacted. Specifically, approximately 2.6 million cards -- about 7 percent of cards used in the store in that time frame -- may have been exposed. Another 400,000 cards were potentially impacted at 54 Aaron Brothers stores between June 26, 2013 and February 27, 2014.

Can Smaller Companies Keep Up?

We turned to Jeff Davis, vice president of engineering at Web information security solutions firm Quarri Technologies, to get his take on the latest Michaels revelations. He told us, although it sounds cliché, organizations that handle sensitive data almost can't be too careful these days.

“The battle between IT staffs and attackers is dauntingly asymmetric -- one successful breach can cause serious and lasting damage, even if the exploited organization successfully fended off thousands of attacks before [the successful one],” Davis said.

The fact of the matter, he noted, is attackers can fail 99 percent of the time and still make a profit. That leads him to the simple conclusion that security is “hard.”

“Even big financials get compromised every now and then, and no companies are spending more on security than they are,” Davis said. “It's frankly difficult to imagine how smaller companies can keep up in the cyber arms race. Clearly security needs to be a top priority with a commensurate budget.”

Tell Us What You Think
Comment:

Name:

SecurityByDesign:
Posted: 2014-04-19 @ 2:52pm PT
The inherent problem is in the credit cards. Security should be implemented at the few credit card networks, not at the gazillions of retailers small and large. Credit card networks should prevent retailers from storing anything related to the payment transaction, by contract. Payment should be a one-off token that leaves no trace on the retailer's system.

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
BMC's shared success is built on 6 fundamental principles: 1) An Intuitive User Experience 2) Agile Application 3) Actionable Intelligence 4) Adaptive Automation 5) Compliance & Risk Mitigation 6) Optimized Infrastructure & Cost. Contact BMC to learn more.
MORE IN CUSTOMER SERVICE
Product Information and Resources for Technology You Can Use To Boost Your Business

NETWORK SECURITY SPOTLIGHT
Sony is no stranger to breaches. Sony’s PlayStation Network was hacked in 2011 and attackers obtained 77 million user accounts. The latest attack comes against Sony Pictures Entertainment.

MOBILE TECHNOLOGY SPOTLIGHT
In its bid for the wearables market, Sony is reportedly developing a watch made out of electronic paper for release as soon as next year. The e-paper watch will emphasize style over tech innovations.

© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.