Magazine article American Banker

Michaels Breach Casts Doubt on Data Security

Magazine article American Banker

Michaels Breach Casts Doubt on Data Security

Article excerpt

Byline: Kate Fitzgerald

Michaels Stores Inc. said it was in the process of upgrading its payment terminals to tamper-resistant models when it discovered its current terminals had been compromised, but some experts say the retailer should have realized the need for those upgrades a lot sooner.

The breach has since snowballed into massive legal headaches and potential losses for the retailer, forcing Michaels in short order to replace more than 7,000 terminals nationwide.

"The question is whether Michaels invested in tamper-proof payment terminals before they got broken into, and apparently they did not," said Paul Martaus, president and chief executive of the merchant acquirer consulting firm Martaus & Associates of Mountain Home, Ark. "For years processors have been advertising so-called tamper-resistant terminals, and while that's a fine idea, who would think that a company like Michaels, which caters to people making relatively small purchases for crafts and hobbies, would need the heaviest guns to protect against a widespread payment terminal attack?"

Michaels, like many other organizations, said it was in compliance with generally accepted procedures to prevent such a security breach.

"Michaels undergoes a third-party security audit annually to make sure we are compliant with current requirements and standards, and have always been found in compliance," a Michaels representative said.

The Irving, Texas, retailer on May 25 announced that every U.S. store was equipped with "new, tamper-resistant payment card terminals," adding that it also has "implemented additional security measures to prevent this type of crime from reoccurring." The company has not disclosed the brand of payment terminals involved in the breach nor which brands it deployed as replacements.

And while Michaels executives likely thought they reacted as quickly as possible to stanch losses from the tampering attack, attorneys planning class-action lawsuits are scrutinizing the time line of the company's actions and their potential success in the litigation could escalate the company's potential losses.

Michaels warned in a May 26 quarterly Securities and Exchange Commission filing that other entities might seek damages, and payment card companies and associations also may impose fines. "We do not have sufficient information to reasonably estimate losses we may incur arising from the payment card terminal tampering," Michaels said in the filing.

The sequence of events in the breach is likely to be crucial in determining the extent of losses and pinpointing Michaels' liability, according to legal experts.

Secret Service agents on May 3 disclosed the breach to store executives, who then found that crooks had physically altered the payment terminals at about 8% of the company's 964 stores nationwide, enabling them to skim sensitive data from customers' cards, capture PINs and steal money directly from payment accounts.

Some 90 terminals at 80 Michaels stores spread across 20 states were involved, and at least 100 customers' accounts were affected. Customers of at least a dozen different banks and credit unions reportedly lost funds when criminals used the stolen data to make unauthorized ATM cash withdrawals, but Michaels said that number could rise as more reports surface.

Credit card account data also may have been exposed, although Michaels has not reported any related fraudulent credit card transactions.

The crafts-supply chain notified customers of the breach within two days of discovering the tampering. It also removed approximately 7,200 devices in its U.S. and Canada stores within approximately two weeks.

So far, Michaels has not disclosed details about how so many terminals were compromised, but analysts said all signs point to an organized group of criminals. The company says it is working with law enforcement authorities to apprehend the conspirators. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.