Earlier this month, arts & crafts chain Michaels Stores disclosed that crooks had tampered with some point-of-sale devices at store registers in the Chicago area in a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that many Michaels stores across the country have discovered compromised payment terminals.
Investigators close to the case, but who asked to remain anonymous because they did not have permission to speak publicly, said that at least 70 compromised POS terminals have been discovered so far in Michaels stores from Washington D.C. to the West Coast.
In an alert (PDF) sent to customers, Irving, Texas based Michaels Stores said it learned of the fraud after being contacted by banking and law enforcement authorities regarding fraudulent debit card transactions traced back to specific stores. The Beacon-News, a Chicago Sun-Times publication, last week cited local police reports from several victims, describing the typical fraud as multiple unauthorized withdrawals of up to $500 made from ATMs at banks on the West Coast. It remains unclear when affected stores were compromised.
It also is not clear yet how the fraudsters compromised the POS devices, or whether the devices were tampered with in-place, or were replaced with pre-compromised look-alikes. But investigators say the fraudsters have used the stolen data to create counterfeit cards that are used in tandem with stolen PINs to withdraw funds from ATMs.
Detective Jeff Stolzenburg of the Libertyville Police Department just north of Chicago, said most of the fraudulent withdrawals have taken place at cash machines in Las Vegas and other parts of the West. Stolzenburg estimates that actual card losses from the fraud are now in the millions of dollars, and said that the investigation has since been turned over to the U.S. Secret Service.
“The scope of this thing has been pretty wide, coast-to-coast,” Stolzenburg said. “We’re dealing with thousands and thousands of victims,” Stolzenburg said.
Stolzenburg added that the attacks on Michaels Stores are similar to the fraud perpetrated last year against Batavia, Ill. based discount grocer Aldi Inc., which operates 1,110 stores in 31 states. Aldi disclosed on Oct. 1 that hackers tampered with payment terminals at stores in 11 states from June to August. A consultant who worked on that incident described the fraud as the work of a network of criminals who went into stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices.
Officials from Michaels Stores and the U.S. Secret Service declined to comment.
If you have purchased items from a Michaels store with a debit or credit card, you should watch your statements and account activity closely and report any suspicious or unauthorized activity.
Update, May 11, 11:31 a.m. ET: Michaels just released a statement (PDF) acknowledging that it has “identified less than 90 individual PIN pads (or approximately 1% of the total devices) in its 964 U.S. stores that showed signs of tampering. Suspicious PIN pads were disabled and quarantined immediately. Out of an abundance of caution, Michaels has removed approximately 7,200 PIN pads comparable to the identified tampered PIN pads from its U.S. stores.”
- Sources: Card Breach at Michaels Stores
Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Irving, Texas-based Michaels Stores, an arts-and-crafts retailer that has more than 1,100 stores in the United States and Canada.