05/11/2011 Michaels Stores Inc. (2011)
a retail business in New York, New York
94,000 accounts compromised
A number of PIN pads in Chicago-area Michaels stores were found to have been compromised. Michaels checked 7,200 PIN pads in 964 US stores. Fewer than 90 pads were found to have been compromised, but the affected pads were in 20 states. Michaels expects the process of replacing the pads to last about 15 days. The number of affected customers is in the tens of thousands. PIN pads in Canada will also be checked.The Chicago-area was the hardest hit; 14 stores had compromised PIN pads. Customers who used their debit or credit cards at Michaels are encouraged to monitor their transaction records. Michaels Stores released an official statement. The location listed is Michaels headquarters. Customers from multiple states were affected. Those with questions may call 800-MICHAELS (642-4235).
UPDATE(05/19/2011): A suit seeks class-action status and more than $5 million in damages for people whose credit and debit accounts were compromised by the breach. The lawsuit claims that Michaels failed to protect customers from “cyber-pickpockets” who stole sensitive banking information from checkout keypads at stores in 20 states. Michaels is accused of knowingly violating federal and state law by failing to take reasonable steps to safeguard customers’ personal information. Michaels is also accused of failing to alert customers as soon as the security breach was discovered. There is now a theory that thieves used a combination of “false card readers”, wireless cameras or electronic membranes placed over keypads to collect the PINs and card information of MIchaels’ customers. This allowed them to create fraudulent debit and credit cards.
UPDATE(05/31/2011): A second lawsuit was filed in late May. The new suit also seeks class-action status. It alleges that Michaels failed to safeguard shoppers’ credit and debit PINs and other information. The second lawsuit was filed by an Illinois resident who saw over $1,000 in fraudulent charges after making an $18.16 purchase at Michaels.
UPDATE(06/20/2011): An extensive fraud case has hit multiple areas of Oregon. Over 250 people have reported fraudulent charges related to cards that were used at Michaels stores.
UPDATE (06/27/2011): Four suspects were caught making fraudulent debit card transactions on camera. The images have been distributed by investigators hoping that someone in the Beaverton, Oregon area will recognize one or more of the people. Additionally, Michaels now faces a total of four lawsuits related to the data breach.
UPDATE (07/13/2011): A number of Iowa residents began reporting debit card fraud that could potentially be related to the Michaels breach.
UPDATE(03/21/2012): Two men will be sentenced for their roles in setting up phony debit and credit card pads in the 84 Michaels stores. Each pleaded guilty to one count of conspiracy to commit bank fraud, one count of bank fraud, and one count of aggravated identity theft. A total of 94,000 credit and debit card account numbers were stolen.
UPDATE(07/30/2012): The two men were each sentenced to 36 months in prison for conspiracy to commit bank fraud. An additional 24 months were added for aggravated identity theft. The must also pay $42,000 in restitution and will have five years of supervised release.
Update 7/30/2015 DOJ charges two
Two people, one in custody, and one still at large, were charged in the plan to steal charge cards from Michaels’ stores by replacing point of sale (POS) terminals in 80 stores in 19 states. In just two months over 90,000 charge cards were compromised.
The indictment (9 page PDF summarized in a press release) describes how counterfeit cards, including their PINs, were created and used to withdraw money from automated teller machines (ATMs).
Update 11/20/2015 Review & Comment
BankInfoSecurity reviews the how and why the 2011 breach was accomplished. Physically replacing the POS machines is risky as it puts the criminal physically in the store with the altered device, exposes the crook to surveillance (hopefully archived), and they have to exit with the original device. Jump forward four years and the POS is more likely to be compromised via a weak point in the internet-of-things. In the large Target breach investigators found they could compromise financial systems from the deli meat scale. Jump forward another four years to about 2020. Will crooks have found the next weak link?
[ my comment follows – ed ] Absent committee meetings, legal restraints, and moral inhibitions, crooks can be more efficient. They can focus on attacking one point while the potential victim has to defend everywhere. Crooks are neither stupid or ignorant. Consider these classic battle elements already embraced by them:
Attack the undefended
SunTzu I-24. Attack him where he is unprepared, appear where you are not expected. VI-5. march swiftly to places where you are not expected. (see also VI-7 and -8)
Be stealthy and focused, the victim has to watch everything
VI-13. By discovering the enemy’s dispositions and remaining invisible ourselves, we can keep our forces concentrated, while the enemy’s must be divided.
Use new techniques
VI-28. Do not repeat the tactics which have gained you one victory, but let your methods be regulated by the infinite variety of circumstances.
More of SunTzu’s strategy that has survived centuries.
See also Michael’s 2014 breach