17
Apr 14

3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

michaelsThe disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”

“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”

Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.

“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.”

This incident marks the second time in three years that Michaels Stores has wrestled with a widespread compromise of its payment card systems. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

Michaels says that while the Company has received limited reports of fraud, it is offering identity protection, credit monitoring and fraud assistance services through AllClear ID to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them. Details of the services and additional information related to the ongoing investigation are available on the Michaels and Aaron Brothers websites at www.michaels.com and www.aaronbrothers.com.

Incidentally, credit monitoring services will do nothing to protect consumers from fraud on existing financial accounts — such as credit and debit cards — and they’re not great at stopping new account fraud committed in your name. The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.

As I noted in a recent story about the credit monitoring industry, the offering of these services has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud). For more information about the limitations of credit monitoring services and more proactive steps that you can take to better protect your identity and credit file, check out this story.

Tags: , ,

75 comments

  1. Robert Scroggins

    Another one of those “highly sophisticated” attacks, and this is the second such occurrence! Well, I guess there is nothing but highly sophisticated malware out there now, eh?

  2. Thanks. I am affected, sigh, yet again. I was hit in 2011 byMichael’s; State Of Ohio Employee lost laptop with citizen information it; Target of 2013; PayPal in 2011; and now Michael’s, again.

    The remedy that they all give is to check your credit report by ordering a FREE annual credit report. WELL GUESS WHAT, I have already used up my “Free” annual review dealing with Target. NOW WHAT? Who will reimburse me for having to continually pull / pay for ongoing credit reports? (Not that that does anything–agree wholeheartedly with Krebs on that) But at least it’s something.

    And who pays for my bank to continually FEDEX replacement cards? I DO. Where is my relief? I used to be middle class, now I am just plain old poor, and getting poorer.

    • Actually, TARGET, in their example, will get bills from the banks for their cost of re-issuing cards…

      • Actually, no. I have to pay for my bank to FedEx the card to me, instead of waiting for snail mail because there any no bank branches in my state. $15/hit.

        • I called my credit card company and said I would not be home for 2 months so I would have to use another credit card until I got my new one. They offered to waive my $15 fee and send me one overnight. I accepted. They charge me anyway. I called to ask why they charged when they said they would not. They apologized and refunded the fee.

          Just saying the fee can be waived if you are insistent and willing to do without the card.

      • No banks will not get much if any money from Target. And if/when they is nothing to repair the cost of replacment and its usually years/months after the loss

      • Target will likely pay pennies on the dollar for reissuance. Banks eat the vast majority of these costs.

    • The one thing that may have protected me in the Target Breach was using their in-house credit card. That card is good only at Target and has a tiny limit. While that means that Target still has data about me that can get stolen (and it was not as far as I know), the card number is worthless. If the card number and my name on it were stolen, but none of the other stuff, then the only good I see there is that Target would be on the hook for card replacement, not me.

    • The ID theft / credit protection offered by Target and any other corp that lost your CREDIT CARD info is a complete public relations move. Details of your credit card cannot be used to steal your identity or open more accounts. It’s like getting health insurance because your car was stolen.

    • At what point do you just decide to pay cash? This isn’t rocket surgery.

      • I’m considering cash now for store purchases. Not sure how best to handle my online purchases though, which greatly outnumber by store purchases.

        • Rabid Howler Monkey

          Cash. There’s no free lunch. Brian has written much about skimmers, including “ATM skimmers, gas pump skimmers and other related fraud devices”:

          http://krebsonsecurity.com/all-about-skimmers/

          P.S. Am assuming that you would get cash from an ATM using a credit or debit card. Sidenote: I used to work in a building with a bank branch on the 1st floor and getting cash was easy then, at least M-F from 9-5.

        • Get a prepaid card. The reloadable kind. Only load an amount of cash you are willing to lose and only load on the day you plan to make the online purchases. This way if you’re card is compromised, chances are you would have under $5 on the card. It can get annoying to have to reload the card each time, but this is the way I keep my ducks in order.

          Also I always go in person to the bank. I don’t use skimmers/ATM’s. I pay cash in person.

          Keep it old school.

  3. Strangely they offer two flavors of monitoring, one has you call an 800 number and the other requires you to attest you shopped there and provide an email address. They also stress all the stuff you can do on your own, like the three free reports that may have been used already in this busy year. Plus a link to the FTC, gosh as always helpful to no one.

    All while asserting that the effects have been minimal. Which I guess refers to them as a company In that they have not been fined or sued, just over charged by two forensics firms that took forever to find the problem.

    Perhaps a lesson in incident response for the rest of us on the front lines.

  4. TheOreganoRouter.onion.it

    This is even more of a reason to start moving credit and bank cards to chip and pin as soon as possible. This problem is not going away any time soon, so it’s time to start thinking about securing every ones cards better, otherwise these kind of breaches will continue on for months to come.

    • Why keep your thinking stuck in credit cards? If I can’t get it (desired purchase) locally in my smaller town, I reconsider a different solution. Use temporary card numbers for on-line purchases. Locally, we have a Michael’s and a Target, among other larger names. However, I can still use CASH there. Use the ATM inside the branch building and pay in nicely anonymous cash. Then, I don’t have to worry about Safeway/Von’s having the same breach as Target, for example (just hypothetical about Safeway/Von’s).

      There are many options.

      • There is zero protection from theft or loss of cash.

        • I trust myself to keep my wallet a lot more secure than these retail chains care to protect my credit card info.
          I will be paying cash. I will also not go back to these stores which have given away my info to hackers and have done exactly jack about it.

        • I agree, Steve. No protection for cash. But now I’m looking at my stats … 2 times a victim of credit card fraud and I might have been a Target breach victim too had I not changed my card number. Number of times I’ve been robbed: zero. Number of times I’ve lost cash: I can’t even remember a single incident. So now I’m considering using cash. It will be less convenient though.

  5. Sophisticated means they don’t know what happened.

    • Good one Ralph.

    • If they can’t dazzle us with real safeguards, and enforcement, they baffle us with “sophisticated” corp-speak that first gets gets a yup nod going around the conference table and is then delivered to the media quaking at the thought of loosing advertising revenue. For the moment, the public is vaguely comforted, but really on the way to eventual and total apoplexy. Ralph, is right. Throwing fancy words at a skilled and clever moving target is just another way of of demonstrating that their clueless.
      Best Defense: Cash not cards !

  6. No word on who the “independent security firms” were? Might be nice to know who couldn’t find this stuff and who could.

  7. Hmmm. Only 7% of card holders? So they got that going for them. Oh, I guess that’s OK, then.
    Either smart chip credit cards sooner than later, and also pass laws making breaches like these criminal wrongdoing with appropriate penalties including monetary and jail time for the retail establishments and their CIOs.

  8. Was this Windows XP-related?

  9. As a banker, I cringe everytime there is another breach. Banks bear the brunt of the expense of these breaches, while consumers bear the extended exposure of their personal information over the years following a breach.

    Through re-issuing customers credit and debit cards, to the losses banks post for the transactions customers file disputes on. Retailers need to be held financially responsible for the effects of their lack of security measures, not just offering credit monitoring services to consumers.

    I would like to see every link in the credit/debit card processing chain held responsible for their actions. Placating consumers with free credit monitoring that doesn’t protect them as retailers think, and doing nothing for banks and other card issuers that bear increased expense through no fault or responsiblity of their own, isn’t doing much to offset the aggravation and expense these breaches cause.

    • Mr Greis, please see my rant somewhere below, if it passes the moderation screening.

    • theshellcodedude

      “As a banker” lmao you cringe, we cringe everyday we have to pay your outrageous atm fees.

  10. I cringe at the length of time these breaches go on. Its no longer a grab and run, but more stand by the store door and pick customers pockets as security is off someplace else. Its this kind of breach that really brings into question current security measures and begs for something better.

  11. Time for Bitcoin to save us all.

  12. I’m considering ordering a “replacement” card everytime I see a story like this. Thoughts?

  13. Time to stop using credit/debit cards and pay with cash.

  14. I agree with Elaine. It is time credit cards are done away with and we all start using, hmmmm, what’s the word…. CASH. This kind of theft is going to happen more and more. I shopped at Target last year (2013) November and I was told this year (2014) in February that my credit card had been compromised and was sent a new one. Needless to say, I don’t shop at Target anymore and I now use cash where ever possible. If the credit card companies have to continually ‘eat’ the stolen money, guess who they will pass the backlash onto, yes folks, us.

  15. Where is the now standard, “We [ ..fill in… Michaels…] take computer fraud very seriously, and have taken steps to assure that this will not happen again.” ….?

    So..here’s a pertinent open question to all:

    My local coffee shop, not a Starbucks, not a national brand, indicates a different retailer’s name on my bank’s website window indicating my charges debited to my account when I use my local bank’s debit card at that local coffee shop.

    I’ve asked the coffee shop counter clerk if the Management are aware of this, are they affiliated with this other name in any way, and the clerk answered, “Yes, we know about this other name, and no, we’re not related in any way.”

    Well. That was that.

    O.K….So now I use cash only there, and when I use their WiFi, I surf Google News and Muslim terrorism and other such generalized topics, do not open up into my email and bank records, or other personal sites.

    This is really off-pissing, this attitude, this frequency of Krebs’ revelations right here in front of us on a daily basis….and all of the oh-so-smart smart guys in I- dammit -T. don’t seem to have any all -encompassing answers. After all of these years.

    I don’t accept this “too broad a diversity” of apps thinking, this “too many systems” thinking. Where is the effective firewall? Stop this Jack-in-theBox gleeful Gotcha! B.S.

    Where is the needed I.T. sophistication applied by these white hat smart guys on a World Wide basis to prevent these pop-up effing TEEN-agers from afflicting their malice on all of us? …and also the more serious adults who’re really, really good at this serious financial fraud.

    Hence my layman’s irate conclusion:
    If only a fraction of the money lost due to this rampant, universal fraud were applied to a systemic [no puns here] solution we’d not have this problem. It seems to be a question of sufficient organization, cooperation, and R&D cash allocation needing to be applied. But, still, nothing happens.

    End Rant.

    • The operative word that summarizes your rant is “dysfunctional.” It seems to be endemic these days, but it waxes and wanes throughout human history.

      We search for solutions but it will always be with us. It’s commonly referred to as “the human condition.”

    • Your rant is what most rants are. An unthinking emotional outpouring. Clearly you have no idea about how these crimes are perpetrated, the sophistication of today’s attackers, nor what goes on behind the scenes to both attempt to protect the data as well as the continued pressure by business and consumers to thwart such attempts.

      Wonder why the U.S. is about the only country in the western world without chip and pin? It’s because the businesses won’t spend the money and consumers don’t care as long as their card works to buy that iPod. How many countries that do have chip and pin see these type of successful attacks?

      In addition, this was not some teen in his basement playing around on his parent’s computer. How successfully has law enforcement been able to curtail physical organized crime? Are there no bank robberies, car jackings, house breakins, extortion, kidnappings for ransom? Where there is money to be made from criminal activity, you’ll find the criminals. U.S. retailers just make it so much easier by caring only about one thing; making money.

      As one of the commenters posted above, the time has come for everyone in the credit card chain to feel the cost of this crime. Until then the businesses won’t care. Why do people continue to go back to Michaels? Every purchase that gets made by credit card at that store is proof that no one cares about anything except being able to buy and sell stuff.

      Let your money do the talking and stop ranting about stuff that you don’t understand.

      • More logic, less emotion. Chip and Pin isn’t a solution, any more than electric cars are the solution to pollution. (55% of US power is generated by burning coal, which means the pollution produced to charge an electric car may be up to 3 times what the gasoline equivalent would have produced.)

        Fraudulent purchases are made through the internet, using the data obtained, which Chip and Pin will not solve. Instead one of the thing we were promised with IPv6 was that people would not be able to hide their IP addresses. If that is implemented, then all that has to happen is the banks start denying charges coming from Eastern Europe, unless the customer says he is in Eastern Europe.

        Meanwhile I strongly agree with the “share the pain” comment above. If retailers are on the hook for part of the loss, they are going to start helping find a solution instead of continuing the problem.

    • Thank you, Charlie.

      My two word rant:

      Institutional Schizophrenia

      • Thank you, Mark Allyn, for your perfect terseness.

        “Institutional Schizophrenia” – summing up a complexity that seems literally to’ve gotten out of control. This seems to be expressed, indirectly or directly, by the frustrated irritation shown by the more sophisticated techno-commentary here on the Internet I’ve sought out that this has apparently been going on for two years, and none of them knew about it. That’s our universal problem. No one seems to’ve known about this error.

        But naturally the N.S.A. has popped up – that would be a “given” – supposedly [or possibly not] using this Heartbleed error [manfully admitted by the maker] for their own purposes. How did they know about it? Well, why not, isn’t that their job?…on and on and on. The techies have created a hydra headed monster. I guess we asked for this.

        I stand by my assertion that its a question of maximizing profits over spending more on building firewalls. Chicken or egg problem?….don’t ask this layman. That’s for the techies to know.

        Now the I.T. industry is unwittingly “hoist on their own petard” and is lashing out in frustration everywhere.

    • Most of these IT gurus, still feel, even in this day and age, that its always just a dumb users fault.

      So arrogant they believe it can never happen to them, because they are computer literate and are very careful. And so condescending, they feel the rest of society aren’t worth helping.

      I never hear about so called “hacktivist” groups, ever exposing other hackers. I don’t even know about any Journalists like Krebs, who presents stories so many everyday people can relate to.

      It really feels like noone in power is going to take these things serious until something bursts like the housing bubble due to online fraud, or a cyber act of war.

      For banks, millions of dollars is a drop in the bucket and not worth worrying about, but in no way are these victimless crimes for their clients.

  16. Was Michaels PCI DSS compliant at the time of the breach?

    • Probably. PCI compliance is only a very basic set of security recommendations. As we have seen with Target, you can get the checkmark on a PCI audit and still have poor security practices.

    • I’m sure they were. Being PCI compliant does not mean that your business is secured. All it means is that you can fulfill the requirements listed in a standard that was written years ago.

      The problem with PCI and similar standards (HIPAA, SOX, NISPOM, etc…) is that from the executive perspective complying with these standards becomes the complete end goal instead of one check mark on the overall corporate security policy. I can’t tell you how many times I’ve pointed out poor security design only to be shot down with “We meet PCI”.

      Further, it gives “IT Security Consultants” a way to make a quick brainless buck by helping companies to become PCI compliant while completely ignoring their customer’s actual security vulnerabilities and needs. Hey, you passed your annual PCI audit, we must have done our jobs, right?

      I truly believe that we’d be better off as a whole without PCI. It gives corporate decision makers too simple of a goal to shoot for, and no reason to shoot any higher.

      • I agree with you nearly 100%. I not necessarily ready to say we should have PCI, but we do need to come to terms with the idea that PCI compliance does not indicate a secure environment any more than a drivers license is proof of a good driver. The good news is a lot of executives are re-evaluating their decisions regarding security. We’ll see if they are willing to follow through in the next year or so.

  17. Were Michael’s stores in Canada not affected because they use a different type of card?

    • There has been nothing said. However, they use a different system in Canada so it is likely Canadian cards are unaffected. This was also the case with Target.

  18. I’m about to scrap my store credit cards and start using cash everywhere I shop.
    I feel like, eventually, our whole credit system is going to collapse at the hand of criminals. I’m quickly losing faith in the convenience of swiping a card.

    • I wish there were some way I could lock and unlock my credit cards. I’m envisioning unlocking one before going shopping, then locking it when I get home. Or setting up an auto-lock in case I forget to do it, let’s say it locks 4 or 8 hours after the unlock. It seems like there’s a way this could work and wouldn’t be too hard for the providers to set up.

  19. I usually use cash at Michaels (less than $10 purchases), but once last September I used my VISA.
    In October, while I was out of the country, someone charged $3700+ to my card. When they tried to do that again in a day or two bank got suspicious and tried to call me to verify. Since I was away no one answered. They stopped the card.
    I found out about it when I tried to use the card abroad and it was declined. I called the bank and found out what happened.
    Of course, Michaels has not said anything to me.

  20. FRAUD IS SO COMMON. THE BEST WAY TO ADDRESS IT IS TO SET UP 2 ACCOUNTS WHERE MY DIRECT DEPOSIT IS SECURE and ANOTHER ACCOUNT TO DO MY SPENDING WITH! THAT WAY I ALWAYS HAVE MONEY TO PAY BILLS IN MY MAIN ACCT. THIS HELPS ME BUDGET AND PREVENT ANY FRAUD THAT CAN OCCUR SINCE SO MANY STORES ARE FACING THIS ISSUES LATELY! GO SEE YOUR BANKS!!! MINE DEFINITELY HELPED ME OUT

    • Makes sense, but I would think that your bank would hit you with all sorts of fees for not having a direct deposit going into your secondary account or by keeping a minimum balance in it. I like the concept though…

      • You can solve this by having two direct deposits if your payroll staff allow. Using this method you can direct deposit $10/month. or whatever small amount to the second account to keep the free checking.

    • Perhaps with the money you’ve saved you could purchase a replacement caps lock key?

  21. 2nd big hack to happen this year. Wow.

    I think this does question if things like crypocurrency is the next thing.

    I assume with windows XP expiring, that this is only to happen more in the near future. iPad point of sale systems, have a leg up here.

    Patrick, http://revelsystems.com

    • More secure transaction systems are next. Running to another OS will only change the attack mechanisms – not necessarily the success rate . This is especially true if the POS software is not itself secure, or as in Target’s case, is not properly isolated from less secure systems. The real solution here is to not use 40 year old technology (credit cards with magnetic stripes) to solve current security issues. It is time to revamp the transaction system starting with the cards themselves.

  22. I had a single card for years when I was traveling. Was BOA the worst customer service on the planet. I canceled in January. Took just a tad of adjusting to cash/check. I am saving an average of $1,200.00 per month because I purchase mostly what I need, not what I want.

  23. Debit and credit cards are prone to abuse anyway … by paying cash whenever possible, you avoid a large number of exposures to potential crooks, and you spend less when physically forking over your hard earned cash.

  24. Is it likely these multiple breaches required on-site access to computers? Because I can imagine that there are a small number of wholesalers who service all of these retailers and who would pretty much have the run of the back office areas to deliver goods and get a cup of coffee. A delivery guy who chats up the clerical staff would probably be allowed to “check his email” while he was there.

  25. Uh, what’s a “petard?” Oh, yeah, “The French used pétard, “a loud discharge of intestinal gas,” for a kind of infernal engine for blasting through the gates of a city. “To be hoist by one’s own petard,” a now proverbial phrase apparently originating with Shakespeare’s Hamlet (around 1604) not long after the word entered English (around 1598), means “to blow oneself up with one’s own bomb, be undone by one’s own devices.” The French noun pet, “fart,” developed regularly from the Latin noun pēditum, from the Indo-European root *pezd-, “fart.””

  26. I’d be interested to read a piece from the banks’ perspective. They are the ones that have to reprocess 400k new cards and recoup the fraudulent purchases. Obviously Micheal’s has to deal with the backlash from the consumers, but what kind of pressure are banks putting on retailers to protect card data?

    • There is very little bamks can do on their own since the whole system of who is responsible for what is in policies laid down under the direction of the US Congress. But banks can’t handle too many more breaches like this so something needs to be done. But you can’t get congress to help since the Republicans and Democrats are playing politics as the Titanic is sinking. They really don’t believe this is a problem.

  27. It’s pretty bad when this happens often enough that you hack together an routine to automate searching your credit card statements. However, it is nice to be able to know in a matter of seconds that a breach doesn’t affect you.

    It’s a rough hack, but it works for me:
    rm -rf ~/personal/financial/tmp
    mkdir ~/personal/financial/tmp

    cd ~/personal/financial/AMEX/
    for pdf in *.pdf; do echo “Processing $pdf file..”; pdftotext $pdf ; done
    mv *.txt ~/personal/financial/tmp/.
    cd old
    for pdf in *2013*.pdf ; do echo “Processing $pdf file..”; pdftotext $pdf ; done
    mv *.txt ~/personal/financial/tmp/.

    cd ~/personal/financial/BofA/
    for pdf in *.pdf; do echo “Processing $pdf file..”; pdftotext $pdf ; done
    mv *.txt ~/personal/financial/tmp/.
    cd old
    for pdf in *2013*.pdf ; do echo “Processing $pdf file..”; pdftotext $pdf ; done
    mv *.txt ~/personal/financial/tmp/.

    cd ~/personal/financial/USBank*/
    for pdf in *.pdf; do echo “Processing $pdf file..”; pdftotext $pdf ; done
    mv *.txt ~/personal/financial/tmp/.
    cd old
    for pdf in *2013*.pdf ; do echo “Processing $pdf file..”; pdftotext $pdf ; done
    mv *.txt ~/personal/financial/tmp/.

    # search for breached stores
    egrep -i ‘michael|aaron’ ~/personal/financial/tmp/*.txt > ~/personal/financial/tmp/breached-stores.txt
    # count totals
    wc -l ~/personal/financial/tmp/breached-stores.txt
    echo If output above is greater than 0, review ~/personal/financial/tmp/breached-stores.txt