Update: Michaels Now Investigating Data Breach at its Stores Nationwide

Consumers still reeling from a massive data breach at Target stores and the theft of financial information from luxury department store Neiman Marcus got more bad news this week: Michaels Stores Inc, the nation’s largest arts-and-crafts retailer, now says that it, too, is investigating fraud on cards used at its outlets across the country.

The possible breach was first reported by security blogger Brian Krebs on Jan. 14 and acknowledged by Michaels on Saturday. The 40-year-old chain operates 1,259 stores across the U.S., both under its own banner and as Aaron Brothers frame shops.

“Michaels Stores recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the company may have experienced a data security attack,” the company said in a letter posted to its website. “The company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts.”

Michaels CEO Chuck Rubin said the company has not yet confirmed that payment information was stolen, but Krebs said that his sources at four different financial institutions reported that “hundreds of customer cards that recently had been used for fraudulent purchases all traced back to Michaels stores as the common point of purchase.”

Neither Krebs nor the Michaels letter indicated how many cards may have been affected, when the breach might have occurred, or whether the company’s data systems are still compromised.

“Although the investigation is ongoing,” Rubin said, “Michaels believes it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves.” Michaels will continue to post developments on its website, the company said.

If it’s confirmed, the heist would be the second theft of financial information from Michaels in less than three years. Thieves tampered with debit-card processing equipment at roughly 80 of the company’s locations – including 11 in Oregon and Washington – over a three-month period in 2011. Michaels responded by replacing more than 7,200 point-of-sale PIN pads at stores across the country.

The latest potential heist comes on the heels of confirmed data breaches at Target and Neiman Marcus stores and the suspected theft of financial information from as many as six other retailers across the country. More than 40 million debit and credit cards were compromised over the busy holiday shopping season at Target alone, along with the names, addresses, email addresses and phone numbers of at least 70 million more consumers. Neiman Marcus says the breach at its stores lasted from July 16-Oct. 30, 2013, and may have impacted more than 1.1 million customer cards.

Last week, preliminary results of a survey by the Credit Union National Association showed that Northwest credit unions have already spent an estimated $1.3 million responding to the Target heist. The survey put the cost to credit unions across the country at somewhere between $25 million and $30 million to date, but said that those costs could grow substantially if fraud losses mount.


Questions? Contact Gary Stein: 503.350.2216, gstein@nwcua.org.

Posted in Article Post.