Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Michaels Stores Investigates Data Breach

Arts-and-crafts retailer goes into damage-control mode after banks report fraud possibly tied to shoppers' credit cards.

Top 10 Retail CIO Priorities For 2014
Top 10 Retail CIO Priorities for 2014
(Click image for larger view and slideshow.)

Arts-and-crafts retailer Michaels Stores is the latest business to confirm that it's investigating an apparent hack attack against its systems resulting in the theft of shoppers' credit and debit card details.

"We recently learned of possible fraudulent activity on some US payment cards that had been used at Michaels, suggesting we may have experienced a data security attack," said Michaels CEO Chuck Rubin in a statement Friday.

"Although the investigation is ongoing, based on the information we have received and in light of the widely reported criminal efforts to penetrate the data systems of US retailers, we believe it is appropriate to notify our customers that a potential issue may have occurred," he added. The company also posted a link to the statement -- "Important Notice About Certain Customer Payment Card Information" -- at the top of its website's homepage.

Michaels' statement came just hours after security journalist Brian Krebs first reported that multiple sources in the banking industry said elevated levels of fraud were traced to the accounts of people who shopped at the retailer.

[Are retailers trying to shift the blame? See why one commentator says Target Mocks, Not Helps, Its Data Breach Victims.]

So far, however, Michaels has yet to offer any breach-related details, such as attack timing or the number of cards that may have been compromised. But the retailer did say Friday that it's brought in third-party digital forensic investigators, continues to work with law enforcement agencies, will offer regular updates about the investigation on the Michaels website, and will extend ID theft monitoring to anyone who was affected. "If we find as part of our investigation that any of our customers were affected, we will offer identity protection and credit monitoring services to them at no cost," Rubin said.

Michaels operates more than 1,250 stores in the United States and Canada -- some under the Aaron Brothers name -- and appears to have quickly gone into damage-control mode. Notably, the retailer Saturday began offering a seven-day "40% off any one regular price item" promotion. That fast response could relate to the company's plans to go public this year. According to a related document filed in December with the Securities and Exchange Commission, the retailer booked $4.4 billion in 2012 revenue.

The apparent Michaels breach suggests that the retailer is the latest victim of hackers wielding memory-scraping point-of-sale (POS) malware. Previous victims have included Target, Neiman Marcus, and a handful of other retailers that have yet to disclose that they were breached.

How bad have those breaches been? For starters, the Target breach resulted in the theft of 40 million credit and debit cards used by shoppers in Target's retail stores, as well as personal information on 70 million Target customers. Meanwhile, Neiman Marcus disclosed Thursday that 1.1 million credit and debit cards -- though not PIN codes -- were compromised by hackers during a three-month attack. Those cards were all used by shoppers in its Neiman Marcus and Last Call stores. To date, Discover, MasterCard, and Visa have reported seeing about 2,400 of the stolen payment cards being used for fraudulent purchases.

In the past 10 months, US-CERT, which is part of the Department of Homeland Security, has published three security advisories warning retailers about the increasing threat of POS-malware attacks, as well as how to protect themselves.

In other data breach news, Coca-Cola disclosed Friday that a laptop stolen by a former employee contained personal information -- including social security and driver's license numbers -- on 74,000 current and former employees in North America, including information on about 4,500 contractors and vendors.

Unlike the breaches at Target and Neiman Marcus, however, Coke said its data breach occurred after a former employee stole 55 company laptops over a six-year period. Coke said it recovered the laptops in November and December and began reviewing the 200,000 files collectively stored on the machines for signs of personal information.

Coke found that the exposed personal information had been stored on the laptops in unencrypted form, thus in violation of Coke's data-encryption security policies. The company told The Wall Street Journal that it notified people who were affected by the breach within 45 days, which is the time limit set by states with the most stringent data breach laws.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/29/2014 | 11:30:31 AM
Re: Promising Career Path

Wait for it, wait for it: Michaels sued over possible data breach.

And yes, "digital forensic investigator" looks like an already hot job prospect that's just going to keep getting hotter.

BobH088
50%
50%
BobH088,
User Rank: Apprentice
1/28/2014 | 1:24:40 PM
data loss
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel after one of the tags was responsible for getting my lost laptop returned to me in Rome one time. You can get them at mystufflostandfound.com
Ariella
50%
50%
Ariella,
User Rank: Apprentice
1/27/2014 | 3:34:30 PM
Re: Killing debits
@Lorna even before all these huge breaches made the headlines, I was warned that debit cards are not very secure. The only time I ever used one for purchase was by mistake -- the chashier must have entered debit as a default.
D. Henschen
50%
50%
D. Henschen,
User Rank: Apprentice
1/27/2014 | 2:14:01 PM
Promising Career Path
Looking for a promising career path related to the growth of big data and online transactions? Try "digital forensic investigator," as mentioned above. I'm guessing this is a white-hot niche within the already hot, larger category of computer security.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/27/2014 | 12:44:35 PM
Killing debits
At what point does all this breach news kill the willingness of consumers to enter PIN numbers to use debit cards? I never have done so, and just recently advised several family members to stop using debit.

That will cost banks and retailers -- and ultimately consumers -- money as CCs become the only game in town.  
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3622
PUBLISHED: 2020-01-22
A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.
CVE-2020-5221
PUBLISHED: 2020-01-22
In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in versio...
CVE-2019-19834
PUBLISHED: 2020-01-22
Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote attacker to jailbreak the CLI via enable->debug->script->exec with ../../../bin/sh as the parameter.
CVE-2019-19836
PUBLISHED: 2020-01-22
AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote code execution via a POST request that uses tools/_rcmdstat.jsp to write to a specified filename.
CVE-2019-19843
PUBLISHED: 2020-01-22
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.