A Michaels store in Saugus, Mass, October 2012. Credit: Anthony92931/Creative Commons
Arts-and-crafts-supplies retailer Michaels Stores admitted Saturday (Jan. 25) that it may have been hit by credit-card thieves. If so, it would be the third major credit-card data breach reported in the past six weeks, following the Target and Neiman Marcus breaches.
Firm details about the Michaels data breach, such as how many customers may have been affected or what kind of malware was used, have not been released. We'll fill in that data as soon as we learn it. In the meantime, here's what we do know.
What happened in the Michaels data breach?
All that's certain right now (Monday, Jan. 27) is that Michaels, a retailer based in Irving, Texas, with about 1,250 stores nationwide, is investigating a possible rash of fraudulent credit- and debit-card transactions involving cards used at Michaels stores.
"We are concerned there may have been a data-security attack on Michaels that may have affected our customers' payment-card information, and we are taking aggressive action to determine the nature and scope of the issue," said Michaels CEO Chuck Rubin in a statement issued Saturday.
"While we have not confirmed a compromise to our systems," Rubin said, "we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment-card account statements for unauthorized charges."
Independent security blogger Brian Krebs, who broke the news of the Target and Neiman Marcus data breaches, may have triggered Michaels' admission when he called the company's public-relations firm Friday (Jan. 24). Krebs was seeking comment on reports he'd heard from confidential sources about fraudulent charges being racked up on cards used at Michaels.
The U.S. Secret Service, which often investigates mass credit-card fraud, on Saturday confirmed to Krebs and Reuters that it was investigating a possible data breach involving Michaels.
What's a data breach?
A data breach is an incident in which an organization entrusted to keep sensitive information secret loses control of that information, whether accidentally or through deliberate action.
Some data breaches occur when trusted insiders take information out of the organization, as happened with Edward Snowden and the National Security Agency; some take place when a company simply loses track of old laptops or data tapes.
In the cases of the recent Target and Neiman Marcus data breaches, malware implanted in the companies' payment systems copied credit- and debit-card information and sent it to servers controlled by online criminals.
It's not yet clear exactly what happened at Michaels.
Wasn't Michaels hit by a data breach before?
Yes, it was. In May 2011, a number of POS systems that had been physically tampered with so that they would secretly record card data were found in Michaels stores in the Chicago area. It quickly turned out that the problem affected more than 80 Michaels stores nationwide.
In 2012, two California men were each given sentences of five years in prison for operating as "cashers" who withdrew money from ATMs using cards cloned from those stolen in the first Michaels breach. The relatively light sentences indicate that the men probably weren't the scheme's masterminds.
The 2011 data breach was cited in documents Michaels filed in December 2013 in preparation for a planned initial public stock offering.
What was taken from Michaels' payment systems this time?
Right now, we don't know what was taken from Michaels, if anything, but it appears an unknown number of credit- and debit-card numbers may have been stolen.
MORE: Target Data Breach FAQ
What kind of malware was used in the Michaels data breach?
We don't know yet. Michaels has not said anything about the possible malware involved.
The card thefts at Target were made possible by a "RAM scraper," a specialized form of malware designed to infect point-of-sale (POS) devices attached to cash registers. The RAM scraper copied, or "scraped," each credit-card number at the precise split second when it appeared in a POS devices' memory (RAM) after a customer card swipe, but just before the number was encrypted.
Neiman Marcus has not stated exactly what kind of malware was used in its credit-card breach, but mentioned a "scraper" in its official comment on the case.
Are people who shopped at the Michaels website in any danger?
We don't know. Target and Neiman Marcus have reassured customers who had only shopped at their online stores that the data breaches did not affect them, but Michaels has made no such statement.
Is the Michaels data breach related to the Target and Neiman Marcus data breaches?
At the moment, there is no evidence that the Michaels incident is related to the Target and Neiman Marcus data breaches.
In mid-January, unnamed sources in the financial industry told Reuters that three retail chains other than Target and Neiman Marcus had been hit by credit-card-data thieves. It is possible Michaels is one of those three.
How could the Michaels data breach affect me?
If you have shopped at a Michaels store or on the Michaels website within the past year, check your credit-card or debit-card account statements for anything suspicious.
What do I do if I find my credit or debit card was involved in the Michaels data breach?
If you find something amiss on your credit-card or debit-card account statements, report it to your card issuer immediately. Michaels is inviting concerned customers to call its helpline at 1-877-412-7145, and promises free identity protection and credit monitoring to any customer who turns out to be affected.