Saturday 1/25/2014
The United States Secret Service confirmed to Reuters that they are investigating a possible breach at Michaels, a Texas merchant that was breached in May 2011.
In the past two weeks there had been a pattern of fraudulent card activity that was traced back to Aaron Brothers which is owned by Michaels. The size and scope of the compromise has not been revealed. As of 11pm Central time 1/25/2014 there is nothing on the www.Michaels.com web site. They made a statement via their crisis communication firm.
… “We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said Chuck Rubin, CEO. “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves …
Michaels’ Statement
http://krebsonsecurity.com/wp-content/uploads/2014/01/MichaelsStatement.pdf
Michaels is a large specialty retailer of arts, crafts, framing, floral, wall decor and seasonal merchandise. The 2011 breach exposed some 94,000 card numbers via 80+ compromised PIN pads. In 2013 Michaels settled a class-action consumer lawsuit without admitting any wrongdoing.
[ http://www.reuters.com/article/2014/01/25/us-michaels-databreach-idUSBREA0O0N320140125 ]
More on the story
http://krebsonsecurity.com/2014/01/sources-card-breach-at-michaels-stores/
February 2014 Class Action
A class action lawsuit has been filed claiming
“the arts and crafts supplier failed to secure and safeguard customers’ private financial information”.
The suit also alleges that
“Michaels failed to adequately monitor its payment systems in such a manner that would enable the retailer to detect fraud or other signs of tampering so that the breach of security and diversion of customer information was able to continue unnoticed for a period of time”.
7/14/2014 Court dismisses a suit
“A federal court in Illinois held July 14 that an elevated risk of identity theft from a Michaels Stores Inc. breach provides standing, but without evidence of specific monetary damages that risk is insufficient to support statutory or common law claims (Moyer v. Michaels Stores, Inc., N.D. Ill., No. 1:14-cv-00561,dismissed 7/14/14). Judge Elaine E. Bucklo of the U.S. District Court for the Northern District of Illinois dismissed the case against the arts and crafts retailer, finding that the plaintiffs failed to plead monetary damages”. [bolding mine -ed]
Filings on the case available here
April 2014
Michaels confirmed that breach lasted from May 8, 2013 through January 27, 2014 and may have affected about 2.6 million cards.
4/17/2014 Statement from Michaels
4/17/2014 Updated FAQ
4/17/2014 more from Krebs
4/18/2014 Article from Daily Finance
Return to 2014 details page
Year links page
Return to References page
Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.
