Michaels Stores confirms data breach, 3 million cards affected

Michaels Stores confirms data breach, 3 million cards affected

Summary: The company said in January it learned of the breach and hired security firms to investigate. Michaels also said that it has contained the incident and the malware isn't a threat.

SHARE:
TOPICS: Security
9

Art and crafts retailer Michaels Stores confirmed Thursday that it about 3 million payment cards were affected by a data breach that ran from May 2013 to February 2014 in its Michaels and Aaron Brothers stores.

michaels

Retailers have been under fire for data breaches. Target late last year was hit with a large data breach that hurt the company's earnings and standing with customers.

The company said in January it learned of the breach and hired security firms to investigate. Michaels also said that it has contained the incident and the malware isn't a threat.

Michaels outlined the following:

  • The cards affected had payment card and expiration dates, but other personal information such as addresses, names and PINs weren't at risk.
  • Michaels stores were hit by point of system attacks between May 8, 2013 and Jan. 27. About 7 percent of the cards used, or 2.6 million cards, were affected.
  • Aarons Brothers confirmed the malware issue between June 26, 2013 and Feb. 27. About 400,000 cards were potentially affected.
  • As is standard practice, Michaels said it will offer identity protection, credit monitoring and fraud assistance to customers.

Related:

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Anyone awake

    I noticed that this haul lasted about 9 months which makes me wonder is anyone was awake at Michaels during that time.
    Linux_Lurker
    • Being a craft store

      I suspect that point of sale security was a bit of a do-it-yourself solution...
      Njia1
    • re: Anyone Awake

      Having had a brother-in-law that "worked" @ Michael's, I can assure you that, no , they were not awake...
      txdo_msk
  • "Michaels stores were hit by point of system attacks"

    what is a point of system attack? did you mean point of sale (POS) system?
    PINs not at risk? i would hope not as they aren't allowed to store that information.
    tiderulz
  • Another Class Action

    These companies need to be stopped and also report these breahes sooner
    http://www.consumerclassactionlawyers.com/michaels-data-breach.html
    DLS21
  • Need a magic hat to interpret wth this means

    Need a magic hat to interpret wth this means:

    "Art and crafts retailer Michaels Stores confirmed Thursday that it about 3 million payment cards were affected by a data breach that ran from May 2013 to February 2014 in its Michaels and Aaron Brothers stores."

    Copyedit these blogs with peeps who can speak/write grammatical English please.....get rid of Asian copyeditors.....they will never learn the English language or how to use the letter 's'.
    electric800
  • FBI

    We know that the FBI has warned U.S. retailers to prepare for more cyber attacks after discovering about 20 hacking cases in the past year and the “3 million hit in Michaels data breach” is only one of them.

    The majority of attacks we are seeing now are advanced in that they are able to bypass existing security systems and may be undetected. The attacks may be reported by external sources several months later.

    We need to change our thinking and be more proactive. Recent breaches are attacking our data flow, even data in memory / RAM.

    The landscape is changing and among the myriad lessons from recent breaches, including the retailer Target, perhaps the most important is that “Compliance” does NOT equal Security.

    Target was certified as compliant according to all applicable regulations, and were discovered after the fact to have failed to meet many of the requirements.

    So how did this happen?

    - First, compliance is often used as a guide to the least possible amount of security necessary to comply.

    - Second, regulations are based on best practices to provide a baseline of security for past threats, not a solution to maximize security for the future.

    - Security auditors often come in selling a solution, rather than looking for a problem.

    - In other cases, auditors are paid to come in and find what they’re told to find by the very company they’re supposed to be assessing!

    - Many companies rely on access controls and firewalls for security, even though they consistently fail to prevent breaches.

    - Monitoring approaches like SIEM solutions are fogged by noise and usually find evidence only after a breach has already occurred.

    Many of the failures of data security today can be directly attributed to the negligence or ignorance of best practices for protecting data. The answer lies in independently verified solutions that protect the data itself.

    Decoupling the assessment from the solution is vital to an unbiased audit.

    I think that cyber insurance should play a bigger role in this scenario. The insurance premium level should be related to the types of security controls that the merchant implements. The insurance premium could reflect the quality of the security solution and that of the auditing performed.

    In addition, if breaches cannot be wholly prevented or detected in real time, then the data must be secured to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization.

    Studies have shown that users of data tokenization experience up to 50 % fewer security-related incidents (e.g. unauthorized access, data loss, or data exposure) than non-users.

    With an objective system to verify security in place, and a strong solution to actually protect data rather than building walls around it, companies can be assured that they are actually secure, rather than just ticking a compliance checkbox.

    Ulf Mattsson, CTO Protegrity
    ulf.mattsson@...
  • Larry

    Larry, learn some English or change WHO transcribes your copy!

    To wit:
    "Art and crafts retailer Michaels Stores confirmed Thursday that it about 3 million payment cards were affected"

    Could be Asian wannabe copy writers!
    electric800