Chuck Rubin, CEO of Michael’s Stores, the largest U.S. arts and crafts retailer, has confirmed a Point-of-Sale (POS) payment card system breach in some U.S. stores along with those of Aaron Brothers, a wholly owned subsidiary [1].

Breach Timeline

The sophisticated cybersecurity malware attack, which took place between May 8, 2013, and January 27, 2014, targeted a subset of the store's POS systems in use. The cybersecurity attack may have compromised approximately 2.6 million cards or roughly 7 percent of payment cards used in the stores during this time period. This figure was recently updated to 3 million [2].
Rubin said the compromised system is limited to payment card information that included the payment card numbers and expiration dates, but no user data such as name, address, or debit card PIN.


Potential Store Targets

Michael’s operates more than 1,105 stores in the United States and Canada along with 123 Aaron Brothers stores, acquired in 1995. In addition to arts, crafts, and hobby products Michaels, headquartered in Irving, TX, sells home decor items, picture framing materials, ready-made frames, and custom framing services.


Data Breach Lawsuits

Additional complications include a lawsuit filed by an Illinois consumer, Christina Moyer, who has sued the company in Chicago federal court on her own behalf and with other customers [3]. The charges are based on her position that Michaels has breached an implied promise of user data protection. This is one of several payment card industry (PCI) consumer lawsuits that include the class action lawsuit against Target, and the class action data breach suit against Neiman Marcus filed in the Eastern District of New York [4].


A POS Malware Epidemic

As we have seen recently, this is merely one in a string of attacks that have focused on POS systems and facilitated through the use of POS malware. In an earlier blog entry, we explored the topic in depth. Retailers need to take the time to gain a deeper understanding of the cyber threats that exist and put in place precautionary measures to secure their IT environments and enhance their cybersecurity position.
(Moyer case: U.S. District Court, Northern District of Illinois (Chicago), Moyer vs. Michaels Stores, 14-CV-561).
New Call-to-action
Jacqueline von Ogden
Post by Jacqueline von Ogden
May 8, 2014
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".