Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.
The disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.
The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.
“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.
The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.
According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.
The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”
“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”
Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.
“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.” Continue reading →