Michaels Stores confirmed yesterday that 2.6 million customer credit cards (approximately 7% of cards used during the affected period) were compromised in a credit card data breach that extended from May 2013 until January 2014. Another 400,000 cards were compromised at Aaron Brothers, a Michaels Stores subsidiary.
The company had warned of a possible data breach in late January, and indicated at that time it was working with the U.S. Secret Service to investigate what it called “a pattern of fraud activity” on credit cards that had links to Michaels Stores.
The Michaels credit card data breach affected point-of-sale systems at a limited number of Michaels Stores between May 8th, 2013 and January 27th, 2014. Not all locations were affected for the entire window. My local store in Palm Coast, Florida, for example, is listed as only being affected from May 8th-July 29th, 2013. The list of affected Michaels Stores, and the dates the individual stores were affected, can be viewed on their website.
Michaels Stores hired what it described as “two independent, expert security firms” to investigate and repair the breach. According to the company’s official statement, the firms determined that Michaels’ point-of-sale systems had been attacked with the use of “highly sophisticated” malware that was previously unknown to both security companies. The breached data includes card numbers and expiration dates but the company says there is no evidence that other customer data (such as addresses or card PIN numbers) was compromised.
“Our customers are always our number one priority and we are truly sorry for any inconvenience or concern Michaels may have caused. We are committed to assisting affected customers by providing fraud assistance, identity protection and credit monitoring services. Importantly, with this incident now fully contained, we can assure customers this malware no longer presents a threat to shoppers at Michaels or Aaron Brothers,” said Chuck Rubin, CEO.
Mr. Rubin added, “In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance. Michaels is committed to working with all appropriate parties to improve the security of payment card transactions for all consumers.”
Michaels is offering customers who used a payment card at an affected store during affected dates at that store free credit monitoring service for twelve months. Details on obtaining the credit monitoring are available on the Michaels website. In addition, the company is offering free fraud assistance services to customers who experience fraud as a result of the breach. Information on the fraud assistance services is also available on the company website. (Similar services are being offered to affected Aaron Brothers customers.)
Credit card data breaches are becoming increasingly common as criminals take advantage of low risk high tech means to “rob the bank”, and a modern risk of doing business as both a retailer and consumer. This is the second time in three years that Michaels Stores has been a target – in May 2011, they announced the discovery of around 90 tampered PIN pads in their stores. Shortly after the new year, Target made headlines when one of the largest data breaches in history was discovered to have compromised the data of tens of millions of holiday shoppers using payment cards in its stores. That company is now the subject of lawsuits from banks seeking to recoup the cost of related fraud and mass card replacements for the affected consumers. As a result of the rising number of data breaches, major U.S. banks are accelerating a planned switch to “Chip & PIN” credit card technology, which is already in widespread usage in the rest of the world, and is much more secure because each transaction is encrypted.
Michaels Stores is working hard to ensure customer goodwill following the announcement yesterday. The announcement itself was accompanied by extensive data for customers on assistance available to them. Then this morning, the company sent out a marketing email containing a coupon for 30% off entire regular price purchase on Saturday and Sunday, and is running an Easter weekend sale with doorbusters on Friday and Saturday that are marked down at prices that compete with the store’s heavy Black Friday discounting.
Hanging over all of this is Michaels Stores’ planned IPO. The company has been owned since 2006 by private equity companies Bain Capital and Blackstone Group, who are now trying to cash out of their investment with an IPO. The equity companies’ IPO plans for Michaels Stores are starting to seem almost cursed, however. The company first filed for an IPO in March 2012; several weeks later CEO John Menzer suffered a stroke and never returned from medical leave. He was eventually replaced by current CEO Chuck Rubin. In December 2013, Michaels Stores withdrew the previous filing and made a new statement of intent to make an IPO; four weeks later, the company was forced to announce the possible credit card data breach.