Michaels Credit Card Data Breach Confirmed

Michaels thumbnailMichaels Stores confirmed yesterday that 2.6 million customer credit cards (approximately 7% of cards used during the affected period) were compromised in a credit card data breach that extended from May 2013 until January 2014. Another 400,000 cards were compromised at Aaron Brothers, a Michaels Stores subsidiary.

The company had warned of a possible data breach in late January, and indicated at that time it was working with the U.S. Secret Service to investigate what it called “a pattern of fraud activity” on credit cards that had links to Michaels Stores.

The Michaels credit card data breach affected point-of-sale systems at a limited number of Michaels Stores between May 8th, 2013 and January 27th, 2014. Not all locations were affected for the entire window. My local store in Palm Coast, Florida, for example, is listed as only being affected from May 8th-July 29th, 2013. The list of affected Michaels Stores, and the dates the individual stores were affected, can be viewed on their website.

Michaels Stores hired what it described as “two independent, expert security firms” to investigate and repair the breach. According to the company’s official statement, the firms determined that Michaels’ point-of-sale systems had been attacked with the use of “highly sophisticated” malware that was previously unknown to both security companies. The breached data includes card numbers and expiration dates but the company says there is no evidence that other customer data (such as addresses or card PIN numbers) was compromised.

“Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused. We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring services. Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers,” said Chuck Rubin, CEO.

Mr. Rubin added, “In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”

Michaels is offering customers who used a payment card at an affected store during affected dates at that store free credit monitoring service for twelve months. Details on obtaining the credit monitoring are available on the Michaels website. In addition, the company is offering free fraud assistance services to customers who experience fraud as a result of the breach. Information on the fraud assistance services is also available on the company website. (Similar services are being offered to affected Aaron Brothers customers.)

Credit card data breaches are becoming increasingly common as criminals take advantage of low risk high tech means to “rob the bank”, and a modern risk of doing business as both a retailer and consumer. This is the second time in three years that Michaels Stores has been a target – in May 2011, they announced the discovery of around 90 tampered PIN pads in their stores. Shortly after the new year, Target made headlines when one of the largest data breaches in history was discovered to have compromised the data of tens of millions of holiday shoppers using payment cards in its stores. That company is now the subject of lawsuits from banks seeking to recoup the cost of related fraud and mass card replacements for the affected consumers. As a result of the rising number of data breaches, major U.S. banks are accelerating a planned switch to “Chip & PIN” credit card technology, which is already in widespread usage in the rest of the world, and is much more secure because each transaction is encrypted.

Michaels Stores is working hard to ensure customer goodwill following the announcement yesterday. The announcement itself was accompanied by extensive data for customers on assistance available to them. Then this morning, the company sent out a marketing email containing a coupon for 30% off entire regular price purchase on Saturday and Sunday, and is running an Easter weekend sale with doorbusters on Friday and Saturday that are marked down at prices that compete with the store’s heavy Black Friday discounting.

Hanging over all of this is Michaels Stores’ planned IPO. The company has been owned since 2006 by private equity companies Bain Capital and Blackstone Group, who are now trying to cash out of their investment with an IPO. The equity companies’ IPO plans for Michaels Stores are starting to seem almost cursed, however. The company first filed for an IPO in March 2012; several weeks later CEO John Menzer suffered a stroke and never returned from medical leave. He was eventually replaced by current CEO Chuck Rubin. In December 2013, Michaels Stores withdrew the previous filing and made a new statement of intent to make an IPO; four weeks later, the company was forced to announce the possible credit card data breach.

7 Responses to Michaels Credit Card Data Breach Confirmed

  1. Addie April 18, 2014 at 3:05 pm #

    Just before this Michael’s security issue became official, my credit card company warned me that a breach to my account had not happened, but was possible. They sent me a new card with minor, but significant changes. It occurred to me that these cyber attacks on Michaels, Target, and earlier Amazon and Zappos, might be related, and not the work of ordinary thieves but others trying to bring down the economy. I thought I was being paranoid until I read after the Target breach, the Federal Government (DOJ) contracted with Hewlett-Packard for cyber security research to the tune of $150 million. I know the companies haven’t done all they could by way of securing their systems, and they need to be held accountable. But I think we have a more serious challenge to meet here than just a few security breakdowns.

  2. Barb S April 19, 2014 at 7:57 am #

    This is the second time your posts have benefitted me personally and directly. I took action the first time and was very grateful I did, so will follow up with this as well. I appreciate your timely news reports. I am a craft industry consumer, not a business person, but this website is a must read for anyone connected or interested. Thank you, Nancy!

  3. Laura C - Michigan April 19, 2014 at 8:07 am #

    Now I’ve been compromised at Michaels and at Target. Target offered a much easier and better resolution to the issue. I am very disappointed with Michaels response to this. I had to find the list of store here on Nancy’s site because none of the news sites had the links she did. Me,my family and friends shop regularly at several of the affected Michaels stores. I’m very disappointed with this lack of notification by Michaels

  4. Vicky April 19, 2014 at 8:37 am #

    Any news on any breaches in Canada?

  5. Donna P April 19, 2014 at 9:40 am #

    Thank you Nancy for your reports on Michaels. I found I had not used my card during the dates of the breach at my local store.

  6. Sandi April 19, 2014 at 1:36 pm #

    Thank you so much for this information Nancy. I will call my bank and see what steps they think I should take.

  7. gabmcann April 19, 2014 at 11:08 pm #

    OMG scary stuff. I hope people can get their situations resolved

Let us know your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.