Michael's Breach Made Possible with POS Malware

Chuck Rubin, CEO of Michael’s Stores, the largest U.S. arts and crafts retailer, has confirmed a Point-of-Sale (POS) payment card system breach in some U.S. stores along with those of Aaron Brothers, a wholly owned subsidiary [1].

Breach Timeline
The sophisticated cybersecurity malware attack, which took place between May 8, 2013 and January 27, 2014, targeted a subset of the store's POS systems in use. The cybersecurity attack may have compromised approximately 2.6 million cards, or roughly 7 percent of payment cards used in the stores during this time period. This figure was recently updated to 3 million [2].
Rubin said the compromised system is limited to payment card information that included the payment card numbers and expiration dates, but no user data such as name, address or debit car PIN.
Potential Store Targets
Michael’s operates more than 1,105 stores in the United States and Canada along with 123 Aaron Brothers stores, acquired in 1995. In addition to arts, crafts, and hobby products Michaels, headquartered in Irving, TX, sells home decor items, picture framing materials, ready-made frames and custom framing services.
Data Breach Lawsuits
Additional complications include a lawsuit filed by an Illinois consumer, Christina Moyer, who has sued the company in Chicago federal court on her own behalf and other customers [3]. The charges are based on her position that Michaels has breached an implied promise of user data protection. This is one of a number of payment card industry (PCI) consumer lawsuits that include the class action lawsuit against Target, and the class action data breach suit against Neiman Marcus filed in the Eastern District of New York [4].
A POS Malware Epidemic
As we have seen recently, this is merely one in a string of attacks that have focused on POS systems and facilitated through the use of POS malware. In an earlier blog entry we explored the topic in depth. Retailers need to take the time to gain a deeper understanding of the cyber threats that exist and put in place precautionary measures to secure their IT environments and enhance their cybersecurity position.
(Moyer case: U.S. District Court, Northern District of Illinois (Chicago), Moyer vs. Michaels Stores, 14-CV-561).
Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".