Michaels Stores Suspect Data Breach

business, u.s., michaels, crafts, data breach
Michaels Stores, a Texas-based arts and crafts retailer, has announced it suspects a data breach within its point of sale system.  Michaels  may be the latest victim of cyber attacks on  credit card data transmitted by U.S. retailers. Michaels CEO Chuck Rubin released a statement indicating that there is a concern regarding a data security breach. Rubin said that the attacks may have compromised customers payment card information.

The nations largest arts and crafts store has reported it is working with federal law enforcement and data security experts to probe the possibility of fraudulent use of payment cards used at the retailer. Currently,  Michaels has not released any confirmation on number of payment cards that may be affected. However, Rubin asked customers to take a close look at credit card  and bank statements for inaccuracies. The company will review its 1,250 stores nationwide as the probe continues.

Michaels joins Target and Neiman Marcus as large companies that have been cyber attacked and had customers’ financial data compromised.  Most recently Neiman Marcus announced a million customers’ data had been compromised. This coupled with Target’s statement of 110 million customers’ data being breached has created the most active time period of compromised data. Both Target and Neiman Marcus were victims of malware that exported customer payment card information to criminal servers.

This malware that attacks  the company point of sales systems has been on U.S. cyber security knowledge base since the spring of 2013.  Information Security companies have been following the sales of “BlackPOS” software on underground forum sites for nearly a year. The malware is able to steal credit card information just after the card is swiped at a retailer while residing on the POS system. Though the information is encrypted it is typically held on a retailer’s system until the information is pushed up to processors to do final validation and pay calculations. Some retailers do not ‘batch’ credit card sales for some time. Consumers may see several days lapse after shopping at a retailer and the charges appearing, especially when using bank debit cards. This could be a sign that retailers are allowing the data to remain on their systems too long.

At this time Michaels has only announced that is suspects a data breach has occurred. Brian Krebs of Krebson Security stated that several sources in the industry were tracking fraud activity on payment cards that were recently used at Michaels stores which prompted a statement of caution from Michaels CEO.

The Secret Service is involved with the investigations as the Target and Neiman Marcus attacks are believed to be sourced from the same criminal organization in Eastern Europe. The Secret Service has also said that as many as six major retailers have been targeted and there may be more in the near future. Hackers are able to continue to use weaknesses in Microsoft security to attack retailer systems and gain access to Track 1 and Track 2 data on payment cards. These data tracks contain card numbers, customer names and expiration dates.

Hackers have been known to post videos showing brazen attacks on retailers and showing how seemingly  easy it is to breach the security of the retailers’ systems. Using Remote Desktop Protocol also known as RDP hackers are able to guess common unchanged log in information or attack with brute force to break through weak Internet Protocol address passwords. Internet security companies have urged retailers to disable RDP access to their Windows-based systems.

Michaels Stores suspected data breach may be the next large story about compromised payment information in the U.S. and consumers must wonder how best to secure their payment information. It may become the responsibility of the large payment processors to devise a system that does not require the transmission of credit card numbers but instead an arbitrary number system. Perhaps the future of financial transactions will follow the token system that creates a disposable number that is useless outside of the transaction.

By Anthony Clark

PC World
New York Times
USA Today