Michaels becomes latest retailer hit with credit card data breach

A few months after Target and Neiman Marcus announced that credit card data had been taken by cyber-criminals, the arts and crafts store franchise Michaels confirmed that millions of credit card numbers may have been lifted from its database.

In a press release, Michaels stated that the breach happened between between May 8, 2013 and January 27, 2014. It added that the cyber criminals that committed this act used "highly sophisticated malware that had not been encountered previously by either of the security firms" the company used to discover the breach.

The end result was that 2.6 million credit card numbers that were used in Michaels stores in the U.S were exposed in the breach, which amounts to about seven percent of the credit cards that were used in those stores. A second breach caused 400,000 more numbers to be taken from Michaels' Aaron Brothers store unit.

Michaels says there is no evidence that personal customer information such as names, addresses or PIN numbers were also taken as part of this stolen data. The company says that the malware that was used for this breach "no longer presents a threat". It added that it is working with law enforcement authorities, along with banks and payment processors, to contain the damage.

Source: Michaels | Michaels store image via Shutterstock

Report a problem with article
Previous Story

Nokia celebrates Easter with a 3D printer that uses chocolate

Next Story

Nike fires Fuelband team, announces it will stop making wearable technology [Update]

10 Comments

Commenting is disabled on this article.

I don't know why all these retailers store cards on their systems. I would rather have to reenter my number than have this #### happen, and not have my number stored.

I'm not sure but I think this is similar to Target's hack where the cards were "swiped" at the sales register not from a stored database.

Either way all of these recent attacks should be a wake up call to the credit card issuers and retailers that they need to beef up their security. They also need to finally be forced to stop tying your credit cards to your social security number and many other measures. I wish we have a government that gave a damn about consumers.....

i don't understand why people don't use virtual cards for online payments; it's secure and the shortness of live they have presents a added layer of security (in my case i use virtual cards that last only 30 days).

paying with POS, on the other hand, are handed directly by the banks entities so unless a bad employee uses a fake POS it's damn difficult to hack into those.

Praetor said,
i don't understand why people don't use virtual cards for online payments; it's secure and the shortness of live they have presents a added layer of security (in my case i use virtual cards that last only 30 days).

Never heard of a virtual card, don't think they exist in the UK, what is it?

greenwizard88 said,
This was one of those POS hacks that is damn difficult to hack. Hence why its such a large issue.

not really, it was malware that was on the POS software; what i'm talking is the Automatic Payment Terminals that are damn difficult to hack (unless you use a fake terminal). I work with some clients that use in-house made POS software and some use software houses made POS (all of those POS software are certified) and i can tell you that it had to be a directly made malware to exploit those, since the software is so different (some is cloud, other is classical server-client apps and other is just web-based).

Having said that audits to POS software is a necessity because this kind of direct attacks are becoming more common. I do remember a scam some years ago that a software house that selled POS software (they were resellers and implementers) used: they installed the original software into the POS and then they installed a small app that basically logged every transaction that POS software made, so they could hijack the transaction, steal 1 or 2 cents from it (neither the costumer was aware of it nor the client) and made a new financial transaction into a obscure account with those stolen cents; when they were caught millions had been lost because of that. And they were caught because when the IRS found the incongruence of several enterprises, they issued an investigation that found they all had the same POS software implemented by the same company.

It's a virtual debit card; all of the banks in my country can use this system (it's made by the same financial entity that rules the ATMs) and it's free as well. All it takes is to activate your debit card with this system and you can issue as many virtual cards as you want and everyone of them have a money limit; also it provided as very secure way to pay online because there's no visible tie from that card with your account (so even if they are compromised there is no way someone can steal all the money from you, just until that money limit that you set).

n_K said,

Never heard of a virtual card, don't think they exist in the UK, what is it?

Temporary cards. They link to a real account but are only useful for a single transaction or for a very short period of time.